diff --git a/internal/http_path/v2/routes.go b/internal/http_path/v2/routes.go
index 456038d..57aab48 100644
--- a/internal/http_path/v2/routes.go
+++ b/internal/http_path/v2/routes.go
@@ -22,125 +22,125 @@ import (
 // SetRoutes sets the routes that the back end server serves
 func SetRoutes(r *mux.Router, e *casbin.Enforcer) {
 	// Policy
-	r.Handle(ConfigReadPolicy, m.Chain(policyHandler.ConfigReadPolicy, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigCreatePolicy, m.Chain(policyHandler.ConfigCreatePolicy, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ConfigUpdatePolicy, m.Chain(policyHandler.ConfigUpdatePolicy, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ConfigListPolicyRevisions, m.Chain(policyHandler.ConfigListPolicyRevisions, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigDeletePolicy, m.Chain(policyHandler.ConfigDeletePolicy, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
-	r.Handle(ConfigListPolicies, m.Chain(policyHandler.ConfigListPolicies, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigReadPolicy, m.Chain(policyHandler.ConfigReadPolicy, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigCreatePolicy, m.Chain(policyHandler.ConfigCreatePolicy, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ConfigUpdatePolicy, m.Chain(policyHandler.ConfigUpdatePolicy, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ConfigListPolicyRevisions, m.Chain(policyHandler.ConfigListPolicyRevisions, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigDeletePolicy, m.Chain(policyHandler.ConfigDeletePolicy, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
+	r.Handle(ConfigListPolicies, m.Chain(policyHandler.ConfigListPolicies, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Data agreement
-	r.Handle(ConfigReadDataAgreement, m.Chain(dataAgreementHandler.ConfigReadDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigCreateDataAgreement, m.Chain(dataAgreementHandler.ConfigCreateDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ConfigUpdateDataAgreement, m.Chain(dataAgreementHandler.ConfigUpdateDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ConfigListDataAgreementRevisions, m.Chain(dataAgreementHandler.ConfigListDataAgreementRevisions, m.Logger(), m.LogApiCalls(), m.SetApplicationMode(), m.Authorize(e), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigDeleteDataAgreement, m.Chain(dataAgreementHandler.ConfigDeleteDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
-	r.Handle(ConfigListDataAgreements, m.Chain(dataAgreementHandler.ConfigListDataAgreements, m.Logger(), m.LogApiCalls(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigListDataAttributesForDataAgreement, m.Chain(dataAgreementHandler.ConfigListDataAttributesForDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigReadDataAgreement, m.Chain(dataAgreementHandler.ConfigReadDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigCreateDataAgreement, m.Chain(dataAgreementHandler.ConfigCreateDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ConfigUpdateDataAgreement, m.Chain(dataAgreementHandler.ConfigUpdateDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ConfigListDataAgreementRevisions, m.Chain(dataAgreementHandler.ConfigListDataAgreementRevisions, m.Logger(), m.LogApiCalls(), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authorize(e), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigDeleteDataAgreement, m.Chain(dataAgreementHandler.ConfigDeleteDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
+	r.Handle(ConfigListDataAgreements, m.Chain(dataAgreementHandler.ConfigListDataAgreements, m.Logger(), m.LogApiCalls(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigListDataAttributesForDataAgreement, m.Chain(dataAgreementHandler.ConfigListDataAttributesForDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Data attribute
-	r.Handle(ConfigUpdateDataAttribute, m.Chain(dataAttributeHandler.ConfigUpdateDataAttribute, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ConfigListDataAttributes, m.Chain(dataAttributeHandler.ConfigListDataAttributes, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigUpdateDataAttribute, m.Chain(dataAttributeHandler.ConfigUpdateDataAttribute, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ConfigListDataAttributes, m.Chain(dataAttributeHandler.ConfigListDataAttributes, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Organisation webhooks related api(s)
-	r.Handle(ConfigReadWebhook, m.Chain(webhookHandler.ConfigReadWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigCreateWebhook, m.Chain(webhookHandler.ConfigCreateWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ConfigUpdateWebhook, m.Chain(webhookHandler.ConfigUpdateWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ConfigDeleteWebhook, m.Chain(webhookHandler.ConfigDeleteWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
-	r.Handle(ConfigListWebhooks, m.Chain(webhookHandler.ConfigListWebhooks, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigPingWebhook, m.Chain(webhookHandler.ConfigPingWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ConfigListRecentWebhookDeliveries, m.Chain(webhookHandler.ConfigListRecentWebhookDeliveries, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigReadRecentWebhookDelivery, m.Chain(webhookHandler.ConfigReadRecentWebhookDelivery, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigRedeliverWebhookPayloadByDeliveryID, m.Chain(webhookHandler.ConfigRedeliverWebhookPayloadByDeliveryID, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ConfigListWebhookEventTypes, m.Chain(webhookHandler.ConfigListWebhookEventTypes, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigListWebhookPayloadContentTypes, m.Chain(webhookHandler.ConfigListWebhookPayloadContentTypes, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigReadWebhook, m.Chain(webhookHandler.ConfigReadWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigCreateWebhook, m.Chain(webhookHandler.ConfigCreateWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ConfigUpdateWebhook, m.Chain(webhookHandler.ConfigUpdateWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ConfigDeleteWebhook, m.Chain(webhookHandler.ConfigDeleteWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
+	r.Handle(ConfigListWebhooks, m.Chain(webhookHandler.ConfigListWebhooks, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigPingWebhook, m.Chain(webhookHandler.ConfigPingWebhook, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ConfigListRecentWebhookDeliveries, m.Chain(webhookHandler.ConfigListRecentWebhookDeliveries, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigReadRecentWebhookDelivery, m.Chain(webhookHandler.ConfigReadRecentWebhookDelivery, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigRedeliverWebhookPayloadByDeliveryID, m.Chain(webhookHandler.ConfigRedeliverWebhookPayloadByDeliveryID, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ConfigListWebhookEventTypes, m.Chain(webhookHandler.ConfigListWebhookEventTypes, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigListWebhookPayloadContentTypes, m.Chain(webhookHandler.ConfigListWebhookPayloadContentTypes, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Organisation identity provider related API(s)
-	r.Handle(AddIdentityProvider, m.Chain(idpHandler.ConfigCreateIdp, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(UpdateIdentityProvider, m.Chain(idpHandler.UpdateIdentityProvider, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(DeleteIdentityProvider, m.Chain(idpHandler.DeleteIdentityProvider, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
-	r.Handle(GetIdentityProvider, m.Chain(idpHandler.GetIdentityProvider, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigListIdentityProviders, m.Chain(idpHandler.ConfigListIdps, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(AddIdentityProvider, m.Chain(idpHandler.ConfigCreateIdp, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(UpdateIdentityProvider, m.Chain(idpHandler.UpdateIdentityProvider, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(DeleteIdentityProvider, m.Chain(idpHandler.DeleteIdentityProvider, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
+	r.Handle(GetIdentityProvider, m.Chain(idpHandler.GetIdentityProvider, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigListIdentityProviders, m.Chain(idpHandler.ConfigListIdps, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Individual related api(s)
-	r.Handle(ConfigReadIndividual, m.Chain(configIndividualHandler.ConfigReadIndividual, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ConfigCreateIndividual, m.Chain(configIndividualHandler.ConfigCreateIndividual, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ConfigUpdateIndividual, m.Chain(configIndividualHandler.ConfigUpdateIndividual, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ConfigListIndividuals, m.Chain(configIndividualHandler.ConfigListIndividuals, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigReadIndividual, m.Chain(configIndividualHandler.ConfigReadIndividual, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigCreateIndividual, m.Chain(configIndividualHandler.ConfigCreateIndividual, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ConfigUpdateIndividual, m.Chain(configIndividualHandler.ConfigUpdateIndividual, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ConfigListIndividuals, m.Chain(configIndividualHandler.ConfigListIndividuals, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Api key related api(s)
-	r.Handle(ConfigCreateApiKey, m.Chain(apiKeyHandler.ConfigCreateApiKey, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ConfigDeleteApiKey, m.Chain(apiKeyHandler.ConfigDeleteApiKey, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
-	r.Handle(ConfigUpdateApiKey, m.Chain(apiKeyHandler.ConfigUpdateApiKey, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ConfigListApiKey, m.Chain(apiKeyHandler.ConfigListApiKey, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigCreateApiKey, m.Chain(apiKeyHandler.ConfigCreateApiKey, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ConfigDeleteApiKey, m.Chain(apiKeyHandler.ConfigDeleteApiKey, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
+	r.Handle(ConfigUpdateApiKey, m.Chain(apiKeyHandler.ConfigUpdateApiKey, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ConfigListApiKey, m.Chain(apiKeyHandler.ConfigListApiKey, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
-	r.Handle(ConfigCreateIndividualsInBulk, m.Chain(configIndividualHandler.ConfigCreateIndividualsInBulk, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ConfigCreateIndividualsInBulk, m.Chain(configIndividualHandler.ConfigCreateIndividualsInBulk, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
 
-	r.Handle(ConfigReadPrivacyDashboard, m.Chain(privacyDashboardHandler.ConfigReadPrivacyDashboard, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ConfigReadPrivacyDashboard, m.Chain(privacyDashboardHandler.ConfigReadPrivacyDashboard, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Service api(s)
 
 	//  Data agreements
-	r.Handle(ServiceReadDataAgreement, m.Chain(serviceHandler.ServiceReadDataAgreement, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceListDataAgreements, m.Chain(serviceHandler.ServiceListDataAgreements, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceReadDataAgreement, m.Chain(serviceHandler.ServiceReadDataAgreement, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceListDataAgreements, m.Chain(serviceHandler.ServiceListDataAgreements, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Read an idp
-	r.Handle(ServiceReadIdp, m.Chain(serviceHandler.ServiceReadIdp, m.Logger(), m.SetApplicationMode(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceReadIdp, m.Chain(serviceHandler.ServiceReadIdp, m.LoggerNoAuth(), m.SetApplicationMode(), m.AddContentType())).Methods("GET")
 
 	// Policy
-	r.Handle(ServiceReadPolicy, m.Chain(serviceHandler.ServiceReadPolicy, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceReadPolicy, m.Chain(serviceHandler.ServiceReadPolicy, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Data attributes
-	r.Handle(ServiceListDataAttributesForDataAgreement, m.Chain(serviceHandler.ServiceListDataAttributesForDataAgreement, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceListDataAttributesForDataAgreement, m.Chain(serviceHandler.ServiceListDataAttributesForDataAgreement, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Verification mechanisms
 
-	r.Handle(ServiceVerificationFetchAllDataAgreementRecords, m.Chain(serviceHandler.ServiceFetchDataAgreementRecords, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceVerificationFetchDataAgreementRecord, m.Chain(serviceHandler.ServiceVerificationFetchDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceVerificationFetchDataAgreementRecords, m.Chain(serviceHandler.ServiceVerificationFetchDataAgreementRecords, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceVerificationFetchAllDataAgreementRecords, m.Chain(serviceHandler.ServiceFetchDataAgreementRecords, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceVerificationFetchDataAgreementRecord, m.Chain(serviceHandler.ServiceVerificationFetchDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceVerificationFetchDataAgreementRecords, m.Chain(serviceHandler.ServiceVerificationFetchDataAgreementRecords, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Recording consent
-	r.Handle(ServiceCreateDraftConsentRecord, m.Chain(serviceHandler.ServiceCreateDraftConsentRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ServiceCreateDataAgreementRecord, m.Chain(serviceHandler.ServiceCreateDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ServiceUpdateDataAgreementRecord, m.Chain(serviceHandler.ServiceUpdateDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ServiceDeleteIndividualDataAgreementRecords, m.Chain(serviceHandler.ServiceDeleteIndividualDataAgreementRecords, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
-	r.Handle(ServiceCreatePairedDataAgreementRecord, m.Chain(serviceHandler.ServiceCreatePairedDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ServiceUpdateSignatureObject, m.Chain(serviceHandler.ServiceUpdateSignatureObject, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ServiceCreateBlankSignature, m.Chain(serviceHandler.ServiceCreateBlankSignature, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ServiceCreateDraftConsentRecord, m.Chain(serviceHandler.ServiceCreateDraftConsentRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ServiceCreateDataAgreementRecord, m.Chain(serviceHandler.ServiceCreateDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ServiceUpdateDataAgreementRecord, m.Chain(serviceHandler.ServiceUpdateDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ServiceDeleteIndividualDataAgreementRecords, m.Chain(serviceHandler.ServiceDeleteIndividualDataAgreementRecords, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("DELETE")
+	r.Handle(ServiceCreatePairedDataAgreementRecord, m.Chain(serviceHandler.ServiceCreatePairedDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ServiceUpdateSignatureObject, m.Chain(serviceHandler.ServiceUpdateSignatureObject, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ServiceCreateBlankSignature, m.Chain(serviceHandler.ServiceCreateBlankSignature, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
 
-	r.Handle(ServiceReadDataAgreementRecord, m.Chain(serviceHandler.ServiceReadDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceFetchIndividualDataAgreementRecords, m.Chain(serviceHandler.ServiceFetchIndividualDataAgreementRecords, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceFetchRecordsForDataAgreement, m.Chain(serviceHandler.ServiceFetchRecordsForDataAgreement, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceReadDataAgreementRecord, m.Chain(serviceHandler.ServiceReadDataAgreementRecord, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceFetchIndividualDataAgreementRecords, m.Chain(serviceHandler.ServiceFetchIndividualDataAgreementRecords, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceFetchRecordsForDataAgreement, m.Chain(serviceHandler.ServiceFetchRecordsForDataAgreement, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
-	r.Handle(ServiceFetchRecordsHistory, m.Chain(serviceHandler.ServiceFetchRecordsHistory, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceFetchRecordsHistory, m.Chain(serviceHandler.ServiceFetchRecordsHistory, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	r.Handle(ServiceReadOrganisation, m.Chain(serviceHandler.ServiceReadOrganisation, m.LoggerNoAuth(), m.SetApplicationMode(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceReadOrganisationLogoImage, m.Chain(serviceHandler.ServiceReadOrganisationLogoImage, m.Logger(), m.SetApplicationMode(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceReadOrganisationCoverImage, m.Chain(serviceHandler.ServiceReadOrganisationCoverImage, m.Logger(), m.SetApplicationMode(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceReadOrganisationImage, m.Chain(serviceHandler.ServiceReadOrganisationImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceReadOrganisationLogoImage, m.Chain(serviceHandler.ServiceReadOrganisationLogoImage, m.LoggerNoAuth(), m.SetApplicationMode(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceReadOrganisationCoverImage, m.Chain(serviceHandler.ServiceReadOrganisationCoverImage, m.LoggerNoAuth(), m.SetApplicationMode(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceReadOrganisationImage, m.Chain(serviceHandler.ServiceReadOrganisationImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Individual related api(s)
-	r.Handle(ServiceReadIndividual, m.Chain(serviceIndividualHandler.ServiceReadIndividual, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(ServiceCreateIndividual, m.Chain(serviceIndividualHandler.ServiceCreateIndividual, m.Logger(), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(ServiceUpdateIndividual, m.Chain(serviceIndividualHandler.ServiceUpdateIndividual, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(ServiceListIndividuals, m.Chain(serviceIndividualHandler.ServiceListIndividuals, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceReadIndividual, m.Chain(serviceIndividualHandler.ServiceReadIndividual, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(ServiceCreateIndividual, m.Chain(serviceIndividualHandler.ServiceCreateIndividual, m.Logger(), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(ServiceUpdateIndividual, m.Chain(serviceIndividualHandler.ServiceUpdateIndividual, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(ServiceListIndividuals, m.Chain(serviceIndividualHandler.ServiceListIndividuals, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Audit api(s)
 
-	r.Handle(AuditListDataAgreementRecords, m.Chain(auditHandler.AuditListDataAgreementRecords, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(AuditDataAgreementRecordRead, m.Chain(auditHandler.AuditDataAgreementRecordRead, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(AuditListDataAgreements, m.Chain(auditHandler.AuditListDataAgreements, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(AuditReadDataAgreement, m.Chain(auditHandler.AuditReadDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(AuditListDataAgreementRecords, m.Chain(auditHandler.AuditListDataAgreementRecords, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(AuditDataAgreementRecordRead, m.Chain(auditHandler.AuditDataAgreementRecordRead, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(AuditListDataAgreements, m.Chain(auditHandler.AuditListDataAgreements, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(AuditReadDataAgreement, m.Chain(auditHandler.AuditReadDataAgreement, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// organization action logs
-	r.Handle(AuditGetOrgLogs, m.Chain(auditHandler.AuditGetOrgLogs, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(AuditGetOrgLogs, m.Chain(auditHandler.AuditGetOrgLogs, m.Logger(), m.LogApiCalls(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	// Onboard api(s)
 
 	r.Handle(LoginAdminUser, m.Chain(onboardHandler.LoginAdminUser, m.LoggerNoAuth(), m.AddContentType())).Methods("POST")
 	r.Handle(LoginUser, m.Chain(onboardHandler.LoginUser, m.LoggerNoAuth(), m.AddContentType())).Methods("POST")
-	r.Handle(OnboardResetPassword, m.Chain(onboardHandler.OnboardResetPassword, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(OnboardLogoutUser, m.Chain(onboardHandler.OnboardLogoutUser, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(OnboardResetPassword, m.Chain(onboardHandler.OnboardResetPassword, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(OnboardLogoutUser, m.Chain(onboardHandler.OnboardLogoutUser, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
 
 	r.Handle(ValidateUserEmail, m.Chain(onboardHandler.ValidateUserEmail, m.LoggerNoAuth(), m.AddContentType())).Methods("POST")
 	r.Handle(ValidatePhoneNumber, m.Chain(onboardHandler.ValidatePhoneNumber, m.LoggerNoAuth(), m.AddContentType())).Methods("POST")
@@ -151,19 +151,19 @@ func SetRoutes(r *mux.Router, e *casbin.Enforcer) {
 	r.Handle(ExchangeAuthorizationCode, m.Chain(onboardHandler.ExchangeAuthorizationCode, m.LoggerNoAuth(), m.SetApplicationMode())).Methods("POST")
 	r.Handle(OnboardForgotPassword, m.Chain(onboardHandler.OnboardForgotPassword, m.LoggerNoAuth(), m.SetApplicationMode())).Methods("PUT")
 
-	r.Handle(GetOrganizationByID, m.Chain(onboardHandler.OnboardReadOrganisation, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(UpdateOrganization, m.Chain(onboardHandler.UpdateOrganization, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(UpdateOrganizationCoverImage, m.Chain(onboardHandler.UpdateOrganizationCoverImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(UpdateOrganizationLogoImage, m.Chain(onboardHandler.UpdateOrganizationLogoImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("POST")
-	r.Handle(GetOrganizationCoverImage, m.Chain(onboardHandler.GetOrganizationCoverImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(GetOrganizationLogoImage, m.Chain(onboardHandler.GetOrganizationLogoImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(GetOrganizationByID, m.Chain(onboardHandler.OnboardReadOrganisation, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(UpdateOrganization, m.Chain(onboardHandler.UpdateOrganization, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(UpdateOrganizationCoverImage, m.Chain(onboardHandler.UpdateOrganizationCoverImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(UpdateOrganizationLogoImage, m.Chain(onboardHandler.UpdateOrganizationLogoImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("POST")
+	r.Handle(GetOrganizationCoverImage, m.Chain(onboardHandler.GetOrganizationCoverImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(GetOrganizationLogoImage, m.Chain(onboardHandler.GetOrganizationLogoImage, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
-	r.Handle(OnboardReadOrganisationAdmin, m.Chain(onboardHandler.OnboardReadOrganisationAdmin, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(OnboardUpdateOrganisationAdmin, m.Chain(onboardHandler.OnboardUpdateOrganisationAdmin, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
-	r.Handle(OnboardReadOrganisationAdminAvatar, m.Chain(onboardHandler.OnboardReadOrganisationAdminAvatar, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
-	r.Handle(OnboardUpdateOrganisationAdminAvatar, m.Chain(onboardHandler.OnboardUpdateOrganisationAdminAvatar, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(OnboardReadOrganisationAdmin, m.Chain(onboardHandler.OnboardReadOrganisationAdmin, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(OnboardUpdateOrganisationAdmin, m.Chain(onboardHandler.OnboardUpdateOrganisationAdmin, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
+	r.Handle(OnboardReadOrganisationAdminAvatar, m.Chain(onboardHandler.OnboardReadOrganisationAdminAvatar, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(OnboardUpdateOrganisationAdminAvatar, m.Chain(onboardHandler.OnboardUpdateOrganisationAdminAvatar, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("PUT")
 
-	r.Handle(OnboardReadStatus, m.Chain(onboardHandler.OnboardReadStatus, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.Authenticate(), m.AddContentType())).Methods("GET")
+	r.Handle(OnboardReadStatus, m.Chain(onboardHandler.OnboardReadStatus, m.Logger(), m.Authorize(e), m.SetApplicationMode(), m.ScopeBasedApiAccess(), m.Authenticate(), m.AddContentType())).Methods("GET")
 
 	r.Handle(ServiceShowDataSharingUi, m.Chain(serviceDataSharingHandler.ServiceShowDataSharingUiHandler, m.LoggerNoAuth())).Methods("GET")
 }
diff --git a/internal/middleware/authenticate.go b/internal/middleware/authenticate.go
index 5bef8a1..9713973 100644
--- a/internal/middleware/authenticate.go
+++ b/internal/middleware/authenticate.go
@@ -4,10 +4,7 @@ import (
 	"context"
 	"log"
 	"net/http"
-	"strings"
 
-	"github.com/bb-consent/api/internal/apikey"
-	"github.com/bb-consent/api/internal/config"
 	"github.com/bb-consent/api/internal/error_handler"
 	"github.com/bb-consent/api/internal/iam"
 	"github.com/bb-consent/api/internal/idp"
@@ -159,39 +156,6 @@ func verifyTokenAndIdentifyRole(accessToken string, r *http.Request) error {
 	return nil
 }
 
-func decodeApiKey(headerValue string, w http.ResponseWriter) apikey.Claims {
-	claims, err := apikey.Decode(headerValue)
-
-	if err != nil {
-		m := "Invalid token, Authorization failed"
-		error_handler.Exit(http.StatusUnauthorized, m)
-	}
-
-	return claims
-}
-
-func performAPIKeyAuthentication(claims apikey.Claims, w http.ResponseWriter, r *http.Request) {
-	individualId := r.Header.Get(config.IndividualHeaderKey)
-
-	// Repository
-	individualRepo := individual.IndividualRepository{}
-	individualRepo.Init(claims.OrganisationId)
-
-	t := token.AccessToken{}
-	token.Set(r, t)
-	if len(strings.TrimSpace(individualId)) != 0 {
-		// fetch the individual
-		_, err := individualRepo.Get(individualId)
-		if err != nil {
-			m := "User does not exist, Authorization failed"
-			error_handler.Exit(http.StatusBadRequest, m)
-		}
-		token.SetUserToRequestContext(r, individualId, rbac.ROLE_USER)
-	} else {
-		token.SetUserToRequestContext(r, claims.OrganisationAdminId, rbac.ROLE_ADMIN)
-	}
-}
-
 // Authenticate Validates the token and sets the token to the context.
 func Authenticate() Middleware {
 
@@ -210,10 +174,6 @@ func Authenticate() Middleware {
 				storeAccessTokenInRequestContext(headerValue, w, r)
 				verifyTokenAndIdentifyRole(headerValue, r)
 			}
-			if headerType == token.AuthorizationAPIKey {
-				claims := decodeApiKey(headerValue, w)
-				performAPIKeyAuthentication(claims, w, r)
-			}
 			// Call the next middleware/handler in chain
 			f(w, r)
 		}
diff --git a/internal/middleware/authorise.go b/internal/middleware/authorise.go
index 2c592aa..93cc672 100644
--- a/internal/middleware/authorise.go
+++ b/internal/middleware/authorise.go
@@ -1,6 +1,7 @@
 package middleware
 
 import (
+	"errors"
 	"log"
 	"net/http"
 
@@ -17,21 +18,43 @@ func Authorize(e *casbin.Enforcer) Middleware {
 		// Define the http.HandlerFunc
 		return func(w http.ResponseWriter, r *http.Request) {
 
-			userRole := token.GetUserRole(r)
+			headerType, headerValue := getAccessTokenFromHeader(w, r)
 
-			// casbin enforce
-			res, err := e.Enforce(userRole, r.URL.Path, r.Method)
-			if err != nil {
-				m := "Failed to enforce casbin authentication;"
-				common.HandleError(w, http.StatusInternalServerError, m, err)
-				return
-			}
+			// verify rbac for token based access
+			if headerType == token.AuthorizationToken {
+				userRole := token.GetUserRole(r)
+
+				// casbin enforce
+				res, err := e.Enforce(userRole, r.URL.Path, r.Method)
+				if err != nil {
+					m := "Failed to enforce casbin authentication;"
+					common.HandleError(w, http.StatusInternalServerError, m, err)
+					return
+				}
 
-			if !res {
-				log.Printf("User does not have enough permissions")
-				m := "Unauthorized access;User doesn't have enough permissions;"
-				common.HandleError(w, http.StatusForbidden, m, nil)
-				return
+				if !res {
+					log.Printf("User does not have enough permissions")
+					m := "Unauthorized access;User doesn't have enough permissions;"
+					common.HandleError(w, http.StatusForbidden, m, nil)
+					return
+				}
+			}
+			// verify rbac for apikey based access
+			if headerType == token.AuthorizationAPIKey {
+				// decode claims
+				claims := decodeApiKey(headerValue, w)
+				res, err := verifyApiKeyScope(claims.Scopes, e, r)
+				if err != nil {
+					m := "Failed to enforce casbin authentication;"
+					common.HandleError(w, http.StatusInternalServerError, m, err)
+					return
+				}
+				if !res {
+					log.Printf("User does not have enough permissions")
+					m := "Unauthorized access;User doesn't have enough permissions;"
+					common.HandleError(w, http.StatusForbidden, m, nil)
+					return
+				}
 			}
 
 			// Call the next middleware/handler in chain
@@ -39,3 +62,20 @@ func Authorize(e *casbin.Enforcer) Middleware {
 		}
 	}
 }
+
+// verifyApiKeyScope verify apikey scope
+func verifyApiKeyScope(Scopes []string, e *casbin.Enforcer, r *http.Request) (bool, error) {
+	var res bool
+	var err error
+	for _, scope := range Scopes {
+		res, err = e.Enforce(scope, r.URL.Path, r.Method)
+		if err != nil {
+			m := "failed to enforce casbin authentication;"
+			return false, errors.New(m)
+		}
+		if res {
+			return true, nil
+		}
+	}
+	return false, nil
+}
diff --git a/internal/middleware/scope_based_api_access.go b/internal/middleware/scope_based_api_access.go
new file mode 100644
index 0000000..19f1d64
--- /dev/null
+++ b/internal/middleware/scope_based_api_access.go
@@ -0,0 +1,116 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/bb-consent/api/internal/apikey"
+	"github.com/bb-consent/api/internal/config"
+	"github.com/bb-consent/api/internal/error_handler"
+	"github.com/bb-consent/api/internal/individual"
+	"github.com/bb-consent/api/internal/rbac"
+	"github.com/bb-consent/api/internal/token"
+	"github.com/bb-consent/api/internal/user"
+)
+
+func decodeApiKey(headerValue string, w http.ResponseWriter) apikey.Claims {
+	claims, err := apikey.Decode(headerValue)
+
+	if err != nil {
+		m := "Invalid token, Authorization failed"
+		error_handler.Exit(http.StatusUnauthorized, m)
+	}
+
+	return claims
+}
+
+func performAPIKeyAuthentication(claims apikey.Claims, tag string, w http.ResponseWriter, r *http.Request) {
+
+	t := token.AccessToken{}
+
+	// Check if individualId is present in request header for service tag
+	// If present validate user
+	// If not present, return error
+	if tag == config.Service {
+		individualId := r.Header.Get(config.IndividualHeaderKey)
+
+		// Repository
+		individualRepo := individual.IndividualRepository{}
+		individualRepo.Init(claims.OrganisationId)
+
+		if len(strings.TrimSpace(individualId)) != 0 {
+			// fetch the individual
+			individual, err := individualRepo.Get(individualId)
+			if err != nil {
+				m := "User does not exist, Authorization failed"
+				error_handler.Exit(http.StatusBadRequest, m)
+			}
+			t.Email = individual.Email
+			t.IamID = individual.IamId
+			token.Set(r, t)
+			token.SetUserToRequestContext(r, individualId, rbac.ROLE_USER)
+		} else {
+			m := "IndividualId is not present in request header"
+			error_handler.Exit(http.StatusBadRequest, m)
+		}
+
+	} else {
+		// fetch organisation admin and set to context if api tag is other than service
+		orgAdmin, err := user.Get(claims.OrganisationAdminId)
+		if err != nil {
+			m := "User does not exist, Authorization failed"
+			error_handler.Exit(http.StatusBadRequest, m)
+		}
+		t.Email = orgAdmin.Email
+		t.IamID = orgAdmin.IamID
+		token.Set(r, t)
+		token.SetUserToRequestContext(r, claims.OrganisationAdminId, rbac.ROLE_ADMIN)
+	}
+
+}
+
+// getApiTag get api tag from route
+func getApiTag(route string) string {
+
+	if strings.HasPrefix(route, "/v2/service") {
+		return "service"
+	} else if strings.HasPrefix(route, "/v2/config") {
+		return "config"
+	} else if strings.HasPrefix(route, "/v2/audit") {
+		return "audit"
+	} else if strings.HasPrefix(route, "/v2/onboard") || strings.HasPrefix(route, "/onboard") {
+		return "onboard"
+	} else {
+		return "unknown"
+	}
+}
+
+// ScopeBasedApiAccess Validates the apikey.
+func ScopeBasedApiAccess() Middleware {
+
+	// Create a new Middleware
+	return func(f http.HandlerFunc) http.HandlerFunc {
+
+		// Define the http.HandlerFunc
+		return func(w http.ResponseWriter, r *http.Request) {
+			// To catch panic and recover the error
+			// Once the error is recovered respond by
+			// writing the error to HTTP response
+			defer error_handler.HandleExit(w)
+			headerType, headerValue := getAccessTokenFromHeader(w, r)
+
+			if headerType == token.AuthorizationAPIKey {
+				claims := decodeApiKey(headerValue, w)
+				tag := getApiTag(r.URL.Path)
+				if tag == "unknown" {
+					m := "Unknown tag in request path"
+					error_handler.Exit(http.StatusBadRequest, m)
+				}
+				performAPIKeyAuthentication(claims, tag, w, r)
+			}
+
+			// Call the next middleware/handler in chain
+			f(w, r)
+		}
+	}
+}
diff --git a/internal/rbac/rbac.go b/internal/rbac/rbac.go
index dbd1fb5..af9201e 100644
--- a/internal/rbac/rbac.go
+++ b/internal/rbac/rbac.go
@@ -87,6 +87,73 @@ func GetRbacPolicies() [][]string {
 		{"user", "/v2/service/individual/record", "DELETE"},
 		{"user", "/v2/onboard/logout", "POST"},
 		{"organisation_admin", "/v2/onboard/logout", "POST"},
+		{"audit", "/v2/audit/consent-records", "GET"},
+		{"audit", "/v2/audit/consent-record/{consentRecordId}", "GET"},
+		{"audit", "/v2/audit/data-agreements", "GET"},
+		{"audit", "/v2/audit/data-agreement/{dataAgreementId}", "GET"},
+		{"audit", "/v2/audit/admin/logs", "GET"},
+		{"config", "/v2/config/policy", "POST"},
+		{"config", "/v2/config/policy/{policyId}", "(GET)|(PUT)|(DELETE)"},
+		{"config", "/v2/config/policy/{policyId}/revisions", "GET"},
+		{"config", "/v2/config/policies", "GET"},
+		{"config", "/v2/config/data-agreement/{dataAgreementId}", "(GET)|(PUT)|(DELETE)"},
+		{"config", "/v2/config/data-agreement", "POST"},
+		{"config", "/v2/config/data-agreements", "GET"},
+		{"config", "/v2/config/data-agreement/{dataAgreementId}/revisions", "GET"},
+		{"config", "/v2/config/data-agreement/{dataAgreementId}/revision/{revisionId}", "GET"},
+		{"config", "/v2/config/data-agreement/{dataAgreementId}/data-attributes", "GET"},
+		{"config", "/v2/config/data-agreements/data-attribute/{dataAttributeId}", "PUT"},
+		{"config", "/v2/config/data-agreements/data-attributes", "GET"},
+		{"config", "/v2/config/webhooks/event-types", "GET"},
+		{"config", "/v2/config/webhooks/payload/content-types", "GET"},
+		{"config", "/v2/config/webhooks", "GET"},
+		{"config", "/v2/config/webhook", "POST"},
+		{"config", "/v2/config/webhook/{webhookId}", "(GET)|(PUT)|(DELETE)"},
+		{"config", "/v2/config/webhook/{webhookId}/ping", "POST"},
+		{"config", "/v2/config/webhooks/{webhookId}/deliveries", "GET"},
+		{"config", "/v2/config/webhooks/{webhookId}/delivery/{deliveryId}", "GET"},
+		{"config", "/v2/config/webhooks/{webhookId}/delivery/{deliveryId}/redeliver", "POST"},
+		{"config", "/v2/config/idp/open-id", "POST"},
+		{"config", "/v2/config/idp/open-ids", "GET"},
+		{"config", "/v2/config/idp/open-id/{idpId}", "(GET)|(PUT)|(DELETE)"},
+		{"config", "/v2/config/individuals", "GET"},
+		{"config", "/v2/config/individual", "POST"},
+		{"config", "/v2/config/individual/{individualId}", "(GET)|(PUT)"},
+		{"config", "/v2/config/admin/apikey", "POST"},
+		{"config", "/v2/config/admin/apikey/{apiKeyId}", "(PUT)|(DELETE)"},
+		{"config", "/v2/config/admin/apikeys", "GET"},
+		{"service", "/v2/service/data-agreements", "GET"},
+		{"service", "/v2/service/data-agreement/{dataAgreementId}", "GET"},
+		{"service", "/v2/service/data-agreement/{dataAgreementId}/data-attributes", "GET"},
+		{"service", "/v2/service/policy/{policyId}", "GET"},
+		{"service", "/v2/service/verification/data-agreements", "GET"},
+		{"service", "/v2/service/verification/consent-record/{consentRecordId}", "GET"},
+		{"service", "/v2/service/verification/consent-records", "GET"},
+		{"service", "/v2/service/individual/record/consent-record/draft", "POST"},
+		{"service", "/v2/service/individual/record/data-agreement/{dataAgreementId}", "(GET)|(POST)"},
+		{"service", "/v2/service/individual/record/consent-record/{consentRecordId}", "PUT"},
+		{"service", "/v2/service/individual/record/consent-record", "(GET)|(POST)"},
+		{"service", "/v2/service/individual/record/consent-record/{consentRecordId}/signature", "(POST)|(PUT)"},
+		{"service", "/v2/service/individual/record/data-agreement/{dataAgreementId}/all", "GET"},
+		{"service", "/v2/service/individual/record/consent-record/history", "GET"},
+		{"service", "/v2/service/idp/open-id", "GET"},
+		{"service", "/v2/service/organisation", "GET"},
+		{"service", "/v2/service/organisation/coverimage", "GET"},
+		{"service", "/v2/service/organisation/logoimage", "GET"},
+		{"service", "/v2/service/individuals", "GET"},
+		{"service", "/v2/service/individual", "POST"},
+		{"service", "/v2/service/individual/{individualId}", "(GET)|(PUT)"},
+		{"service", "/v2/service/image/{imageId}", "GET"},
+		{"service", "/v2/service/individual/record", "DELETE"},
+		{"onboard", "/v2/onboard/organisation", "(GET)|(PUT)"},
+		{"onboard", "/v2/onboard/organisation/coverimage", "(GET)|(POST)"},
+		{"onboard", "/v2/onboard/organisation/logoimage", "(GET)|(POST)"},
+		{"onboard", "/v2/onboard/organisation", "GET"},
+		{"onboard", "/v2/onboard/password/reset", "PUT"},
+		{"onboard", "/v2/onboard/admin", "(GET)|(PUT)"},
+		{"onboard", "/v2/onboard/admin/avatarimage", "(GET)|(PUT)"},
+		{"onboard", "/v2/onboard/status", "GET"},
+		{"onboard", "/v2/onboard/logout", "POST"},
 	}
 
 	return policies
diff --git a/internal/token/token.go b/internal/token/token.go
index 88ada90..a3dd1ee 100644
--- a/internal/token/token.go
+++ b/internal/token/token.go
@@ -198,11 +198,6 @@ func SetUserToRequestContext(r *http.Request, userID string, userRole string) {
 	context.Set(r, userIDKey, userID)
 	context.Set(r, UserRoleKey, userRole)
 
-	// Set individual to request header if not present
-	if _, exists := r.Header[http.CanonicalHeaderKey(config.IndividualHeaderKey)]; !exists {
-		r.Header.Set(config.IndividualHeaderKey, userID)
-	}
-
 }
 
 // ParseTokenUnverified parses the token and returns the accessToken struct