Taskcluster authentication begins with "clients". Each client has a name (clientId) and a secret access token. These can be used together to make API requests to Taskcluster services. Each client has a set of scopes associated with it, controlling what that client can do.

See the taskcluster-auth docs for more detailed information.

The set of defined clients is visible in the Clients tool. This interface helpfully shows both the scopes configured for the client, and the "expanded scopes" that result after all roles are expanded. Note that, in keeping with the open nature of Taskcluster, anyone can see the full list of clients.

NOTE Taskcluster does not identify users. All API calls are made with Taskcluster credentials, which include a clientId, but that identifier does not necessarily relate to a specific person or "user account" of any sort.