gravitational · eriktate · Nov 18, 2025 · Oct 22, 2025
diff --git a/api/client/client.go b/api/client/client.go
@@ -95,6 +95,7 @@ import (
 	resourceusagepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/resourceusage/v1"
 	samlidppb "github.com/gravitational/teleport/api/gen/proto/go/teleport/samlidp/v1"
 	scopedaccessv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/scopes/access/v1"
+	joiningv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/scopes/joining/v1"
 	secreportsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/secreports/v1"
 	stableunixusersv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/stableunixusers/v1"
 	summarizerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/summarizer/v1"
@@ -134,6 +135,7 @@ type AuthServiceClient struct {
 	userpreferencespb.UserPreferencesServiceClient
 	notificationsv1pb.NotificationServiceClient
 	recordingencryptionv1pb.RecordingEncryptionServiceClient
+	joiningv1.ScopedJoiningServiceClient
 }
 
 // Client is a gRPC Client that connects to a Teleport Auth server either
@@ -547,6 +549,7 @@ func (c *Client) dialGRPC(ctx context.Context, addr string) error {
 		UserPreferencesServiceClient:     userpreferencespb.NewUserPreferencesServiceClient(c.conn),
 		NotificationServiceClient:        notificationsv1pb.NewNotificationServiceClient(c.conn),
 		RecordingEncryptionServiceClient: recordingencryptionv1pb.NewRecordingEncryptionServiceClient(c.conn),
+		ScopedJoiningServiceClient:       joiningv1.NewScopedJoiningServiceClient(c.conn),
 	}
 	c.JoinServiceClient = NewJoinServiceClient(proto.NewJoinServiceClient(c.conn))
 
@@ -5861,3 +5864,25 @@ func (c *Client) DeleteHealthCheckConfig(ctx context.Context, name string) error
 	)
 	return trace.Wrap(err)
 }
+
+// ListScopedTokens fetches pages of scoped tokens.
+func (c *Client) ListScopedTokens(ctx context.Context, req *joiningv1.ListScopedTokensRequest) (*joiningv1.ListScopedTokensResponse, error) {
+	res, err := c.grpc.ListScopedTokens(ctx, req)
+	return res, trace.Wrap(err)
+}
+
+// DeleteScopedToken deletes an existing scoped token.
+func (c *Client) DeleteScopedToken(ctx context.Context, name string) error {
+	_, err := c.grpc.DeleteScopedToken(ctx, &joiningv1.DeleteScopedTokenRequest{
+		Name: name,
+	})
+	return trace.Wrap(err)
+}
+
+// CreateScopedToken creates a new scoped token.
+func (c *Client) CreateScopedToken(ctx context.Context, token *joiningv1.ScopedToken) (*joiningv1.ScopedToken, error) {
+	res, err := c.grpc.CreateScopedToken(ctx, &joiningv1.CreateScopedTokenRequest{
+		Token: token,
+	})
+	return res.GetToken(), trace.Wrap(err)
+}
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go
diff --git a/api/gen/proto/go/teleport/scopes/joining/v1/service.pb.go b/api/gen/proto/go/teleport/scopes/joining/v1/service.pb.go
diff --git a/api/gen/proto/go/teleport/scopes/joining/v1/token.pb.go b/api/gen/proto/go/teleport/scopes/joining/v1/token.pb.go
diff --git a/api/proto/teleport/decision/v1alpha1/ssh_identity.proto b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto
@@ -164,6 +164,9 @@ message SSHIdentity {
   // ScopePin is an optional pin that ties the certificate to a specific scope and set of scoped roles. When
   // set, the Roles field must not be set.
   teleport.scopes.v1.Pin scope_pin = 35;
+
+  // The scope associated with a host identity.
+  string agent_scope = 36;
 }
 
 // CertExtensionMode specifies the type of extension to use in the cert. This type

diff --git a/api/proto/teleport/scopes/joining/v1/service.proto b/api/proto/teleport/scopes/joining/v1/service.proto
@@ -53,17 +53,23 @@ message GetScopedTokenResponse {
 
 // ListScopedTokensRequest is the request to list scoped tokens.
 message ListScopedTokensRequest {
-  // ResourceScope filters tokens by their resource scope if specified.
+  // Filter tokens by their resource scope.
   teleport.scopes.v1.Filter resource_scope = 1;
 
-  // AssignedScope filters tokens by their assigned scope if specified.
+  // Filter tokens by their assigned scope.
   teleport.scopes.v1.Filter assigned_scope = 2;
 
-  // Cursor is the pagination cursor.
+  // The pagination cursor.
   string cursor = 3;
 
-  // Limit is the maximum number of results to return.
+  // The maximum number of results to return.
   uint32 limit = 4;
+
+  // Filter tokens that apply at least one of the provided roles.
+  repeated string roles = 5;
+
+  // Filter tokens that match all provided labels.
+  map<string, string> labels = 6;
 }
 
 // ListScopedTokensResponse is the response to list scoped tokens.

diff --git a/api/proto/teleport/scopes/joining/v1/token.proto b/api/proto/teleport/scopes/joining/v1/token.proto
@@ -46,8 +46,15 @@ message ScopedToken {
 
 // ScopedTokenSpec is the specification of a scoped token.
 message ScopedTokenSpec {
-  // AssignedScope is the scope to which this token is assigned.
+  // The scope to which this token is assigned.
   string assigned_scope = 1;
 
-  // TODO(fspmarshall): port relevant token features to scoped tokens.
+  // The list of roles associated with the token. They will be converted
+  // to metadata in the SSH and X509 certificates issued to the user of the
+  // token.
+  repeated string roles = 2;
+
+  // The joining method required in order to use this token.
+  // Supported joining methods for scoped tokens only include 'token'.
+  string join_method = 3;
 }