Visa types categorize the authorization level a credential provides. Every credential maps to one of six visa classifications based on access level, data sensitivity, and compliance requirements.
Overview
| Type | Description | Risk Level | Common Use Cases |
|---|
access | Basic platform access | Low | Read APIs, public data |
privilege | Elevated permissions | High | Admin APIs, write operations |
data | Data access rights | Medium-High | Databases, storage |
compliance | Regulatory scope | High | HIPAA, PCI, SOC2 data |
ecosystem | Cross-platform | Medium | Multi-service integrations |
custom | Business-defined | Variable | Custom authorization policies |
Access Visa
Basic platform access for standard API operations.
Characteristics:
- Read-only or limited write access
- Standard rate limits
- Non-sensitive data access
Examples:
- OpenAI API key for chat completions
- GitHub token for public repos
- Weather API key
Default Policies:
- No special approval required
- Standard expiration (90 days recommended)
const passport = await createPassport({
name: "OpenAI Reader",
visaType: "access",
scope: ["chat.completions.read"],
// ...
});
Privilege Visa
Elevated permissions for administrative or write operations.
Characteristics:
- Full write access
- User/resource management
- Billing or configuration changes
Examples:
- AWS root credentials
- GitHub org admin token
- Stripe secret key
Default Policies:
- Requires approval before access
- Short expiration (30 days recommended)
- Enhanced audit logging
Privilege visas grant broad, high-risk permissions. Always require approval and use the shortest practical expiration window.
const passport = await createPassport({
name: "AWS Admin",
visaType: "privilege",
scope: ["iam:*", "organizations:*"],
// ...
});
Data Visa
Data access rights for databases and storage systems.
Characteristics:
- Database credentials
- Storage access keys
- Data export capabilities
Examples:
- PostgreSQL connection string
- MongoDB credentials
- S3 bucket access
Default Policies:
- Data classification awareness
- Query logging recommended
- Backup access restrictions
Tag data visas with classification labels like pii, production, or sensitive to make policy enforcement and auditing easier.
const passport = await createPassport({
name: "Production Database",
visaType: "data",
platforms: ["custom"],
scope: ["read", "write"],
tags: ["production", "pii"],
// ...
});
Compliance Visa
Credentials that access regulated data.
Characteristics:
- Subject to regulatory requirements
- Enhanced audit requirements
- Access logging mandatory
Examples:
- Healthcare data APIs (HIPAA)
- Payment processing (PCI-DSS)
- EU customer data (GDPR)
Default Policies:
- Always requires approval
- Strict expiration (7-30 days)
- Cannot be delegated
- Full audit trail required
Compliance visas cannot be delegated and require a full audit trail. Ensure your logging infrastructure is in place before issuing these credentials.
const passport = await createPassport({
name: "Healthcare API",
visaType: "compliance",
scope: ["patient.read"],
tags: ["hipaa", "phi"],
// ...
});
Ecosystem Visa
Cross-platform credentials for multi-service integrations.
Characteristics:
- Access to multiple services
- Integration platform credentials
- Workflow automation tokens
Examples:
- Zapier API key
- IFTTT webhook
- Enterprise SSO token
Default Policies:
- Medium scrutiny
- Platform-specific scoping
- Delegation tracking important
Because ecosystem visas span multiple platforms, pay close attention to delegation tracking to maintain visibility into where the credential is used.
const passport = await createPassport({
name: "Integration Platform",
visaType: "ecosystem",
platforms: ["openai", "github", "custom"],
scope: ["integration.*"],
// ...
});
Custom Visa
Business-defined authorization for unique or specialized access patterns.
Characteristics:
- Fully configurable policies
- Organization-specific rules
- Tailored approval workflows
- Flexible scope definitions
Examples:
- Internal service mesh credentials
- Partner API integrations
- Legacy system access
- Custom workflow authorizations
Default Policies:
- No default restrictions
- Policies defined by organization
- Custom approval chains supported
- Flexible expiration rules
const passport = await createPassport({
name: "Internal Service Token",
visaType: "custom",
platforms: ["custom"],
scope: ["service.internal.*"],
tags: ["internal", "service-mesh"],
notes: "Custom authorization for internal microservice communication",
// ...
});
- None of the standard visa types fit your use case
- Your organization has unique compliance requirements
- You need to implement custom approval workflows
- Legacy systems require non-standard access patterns
Choosing the Right Visa Type
┌─────────────────────────────────────┐
│ What does this credential do? │
└─────────────────────────────────────┘
│
┌─────────────────┼─────────────────┐
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Read-only│ │ Write/ │ │ Database │
│ APIs │ │ Admin │ │ Access │
└────┬─────┘ └────┬─────┘ └────┬─────┘
│ │ │
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ access │ │ privilege│ │ data │
└──────────┘ └──────────┘ └──────────┘
Is it regulated? Is it multi-platform?
│ │
▼ ▼
┌──────────┐ ┌──────────┐
│compliance│ │ecosystem │
└──────────┘ └──────────┘
None of the above fit?
│
▼
┌──────────┐
│ custom │ ← Business-defined authorization
└──────────┘
Policy Implications
Each visa type can have different policy rules:
const rules = [
policy('privilege-needs-approval')
.forVisaTypes('privilege', 'compliance')
.requireApproval()
.build(),
policy('short-expiry-for-compliance')
.forVisaTypes('compliance')
.maxValidityDays(7)
.deny()
.build(),
policy('no-delegation-for-compliance')
.forVisaTypes('compliance')
.maxDelegationDepth(0)
.deny()
.build(),
];
Combine visa types with passport model policies to build layered security that matches your organization’s risk tolerance. 
