# `Sigra.Plug.RequireScopes`
[🔗](https://github.com/sztheory/sigra/blob/v1.20.0/lib/sigra/plug/require_scopes.ex#L1)

Route-level scope enforcement plug for API token authentication.

Checks that the current connection's scope (from `conn.assigns.current_scope`)
has the required scopes. Session-authenticated users bypass scope checks entirely.

## Options

- `:scopes` (required) - A non-empty list of required scope strings
- `:error_handler` (required) - Module implementing `Sigra.Plug.ErrorHandler`
- `:match` - `:all` (default) requires all scopes, `:any` requires at least one

## Examples

    # Require all listed scopes (AND mode, default)
    plug Sigra.Plug.RequireScopes,
      scopes: ["profile:read", "sessions:read"],
      error_handler: MyAppWeb.AuthErrorHandler

    # Require any listed scope (OR mode)
    plug Sigra.Plug.RequireScopes,
      scopes: ["admin:write", "profile:write"],
      error_handler: MyAppWeb.AuthErrorHandler,
      match: :any

## Session Bypass

When `auth_method` is `:session`, the plug passes the connection through
without checking scopes. This enables a unified pipeline where browser
sessions and API tokens share the same routes.

# `call`
*since 0.7.0* 

Check scope requirements and halt if insufficient.

# `init`
*since 0.7.0* 

Initialize the plug with the given options.

Validates that `:scopes` is a non-empty list and `:error_handler` is present.

---

*Consult [api-reference.md](api-reference.md) for complete listing*