All Taskcluster endpoints are guarded by scopes. The authentication information passed with each API call is used to determine a set of scopes associated with the caller. These are compared against the scopes required by the endpoint. If they are satisfied, the request is allowed to proceed.
The scopes required for each endpoint are documented in the reference section of this manual. Note that some API endpoints may have additional scope requirements that depend on the body of the request; read the endpoint documentation carefully to discover these.
See the taskcluster-auth docs for more detailed information on scopes, scope satisfaction, and stars in scopes.