diff --git a/docs/docs.logflare.com/docs/concepts/access-tokens/index.md b/docs/docs.logflare.com/docs/concepts/access-tokens/index.md
index f33044cd7..7f2257c2d 100644
--- a/docs/docs.logflare.com/docs/concepts/access-tokens/index.md
+++ b/docs/docs.logflare.com/docs/concepts/access-tokens/index.md
@@ -36,9 +36,9 @@ There are 3 supported methods to attach an accees token with an API request:
 
 ## Client-side is Public
 
-Access tokens are considered public for client-side usage. Public-only tokens will not be able to access the Logflare Management API, which provides capabilities to manage user resources on Logflare.
+Access tokens can be exposed for client-side usage. Consider restricting tokens to ingest into specific sources or to considered public for client-side usage. Public-only tokens will not be able to access the Logflare Management API beyond the ingest/query APIs.
 
-Please use a separate private access token for the Management API.
+Private access tokens should not be exposed to the client side, as private access tokens have complete access to all management APIs used for account control.
 
 ## Rotation
 
diff --git a/lib/logflare/auth.ex b/lib/logflare/auth.ex
index 211c23c45..b6d0e7ba6 100644
--- a/lib/logflare/auth.ex
+++ b/lib/logflare/auth.ex
@@ -164,25 +164,57 @@ defmodule Logflare.Auth do
     resource_owner = Keyword.get(config, :resource_owner)
 
     with {:ok, access_token} <- ExOauth2Provider.authenticate_token(str_token, config),
-         token_scopes <- String.split(access_token.scopes || ""),
-         :ok <- check_scopes(token_scopes, required_scopes),
+         :ok <- check_scopes(access_token, required_scopes),
          owner <- get_resource_owner_by_id(resource_owner, access_token.resource_owner_id) do
       {:ok, owner}
-    else
-      {:scope, false} -> {:error, :unauthorized}
-      err -> err
     end
   end
 
   defp get_resource_owner_by_id(User, id), do: Users.Cache.get(id)
   defp get_resource_owner_by_id(Partner, id), do: Partners.Cache.get_partner(id)
 
-  defp check_scopes(token_scopes, required) do
+  @doc """
+  Checks that an access token contains all scopes that are provided in a given required scopes list.
+
+  Private scope will allways return `:ok`
+  iex> check_scopes(access_token, ["private"])
+
+  iex> check_scopes(%OauthAccessToken{scopes: "ingest:source:1"}, ["ingest:source:1"])
+  If multiple scopes are provided, each scope must be in the access token's scope string
+    :ok
+  only can ingest to token-specified scopes
+    iex> check_scopes(%OauthAccessToken{scopes: "ingest:source:1"}, ["ingest"])
+    {:error, :unauthorized}
+
+  if scopes to check for are missing, will be unauthorized
+    iex> check_scopes(%OauthAccessToken{scopes: "ingest"}, ["ingest", "source:1"])
+    {:error, :unauthorized}
+
+  """
+  def check_scopes(%_{} = access_token, required_scopes) when is_list(required_scopes) do
+    token_scopes = String.split(access_token.scopes || "")
+
     cond do
-      "private" in token_scopes -> :ok
-      Enum.empty?(required) -> :ok
-      Enum.any?(token_scopes, fn scope -> scope in required end) -> :ok
-      true -> {:error, :unauthorized}
+      "private" in token_scopes ->
+        :ok
+
+      Enum.empty?(required_scopes) ->
+        :ok
+
+      # legacy behaviours
+      # empty scope
+      Enum.empty?(token_scopes) and Enum.any?(required_scopes, &String.starts_with?(&1, "ingest")) ->
+        :ok
+
+      # deprecated scope
+      "public" in token_scopes and Enum.any?(required_scopes, &String.starts_with?(&1, "ingest")) ->
+        :ok
+
+      Enum.any?(token_scopes, fn scope -> scope in required_scopes end) ->
+        :ok
+
+      true ->
+        {:error, :unauthorized}
     end
   end
 
diff --git a/lib/logflare/sources.ex b/lib/logflare/sources.ex
index 20c30e3d5..e2f65442e 100644
--- a/lib/logflare/sources.ex
+++ b/lib/logflare/sources.ex
@@ -117,7 +117,7 @@ defmodule Logflare.Sources do
     get_source_by_token(source_token)
   end
 
-  def get(source_id) when is_integer(source_id) do
+  def get(source_id) when is_integer(source_id) or is_binary(source_id) do
     Repo.get(Source, source_id)
     |> put_retention_days()
   end
diff --git a/lib/logflare_web/controllers/plugs/verify_resource_access.ex b/lib/logflare_web/controllers/plugs/verify_resource_access.ex
new file mode 100644
index 000000000..3dc431bc6
--- /dev/null
+++ b/lib/logflare_web/controllers/plugs/verify_resource_access.ex
@@ -0,0 +1,82 @@
+defmodule LogflareWeb.Plugs.VerifyResourceAccess do
+  @moduledoc """
+  Plug that checks for ownership of the a provided resource.
+
+  If the `:user` assign is not set, verification is assumed to have passed and as passthroguh is performed.
+  Also checks any API scopes that are set.
+  If no resource is set, performs a passthrough.
+  """
+  alias Logflare.Source
+  alias Logflare.Endpoints.Query
+  alias Logflare.User
+  alias Logflare.Auth
+  alias LogflareWeb.Api.FallbackController
+  def init(_opts), do: nil
+
+  def call(%{assigns: %{endpoint: %Query{enable_auth: false}}} = conn, _opts) do
+    conn
+  end
+
+  # check source
+  def call(
+        %{
+          assigns:
+            %{
+              user: %User{id: id},
+              source: %Source{id: source_id, user_id: user_id}
+            } = assigns
+        } = conn,
+        _opts
+      )
+      when id == user_id do
+    access_token = Map.get(assigns, :access_token)
+
+    # legacy api key
+    cond do
+      access_token == nil ->
+        conn
+
+      :ok == Auth.check_scopes(access_token, ["ingest", "ingest:source:#{source_id}"]) or
+          :ok == Auth.check_scopes(access_token, ["ingest", "ingest:collection:#{source_id}"]) ->
+        conn
+
+      true ->
+        FallbackController.call(conn, {:error, :unauthorized})
+    end
+  end
+
+  # check endpoint
+  def call(
+        %{
+          assigns:
+            %{
+              user: %User{id: id},
+              endpoint: %Query{id: endpoint_id, user_id: user_id}
+            } = assigns
+        } = conn,
+        _opts
+      )
+      when id == user_id do
+    access_token = Map.get(assigns, :access_token)
+
+    cond do
+      # legacy api key
+      access_token == nil ->
+        conn
+
+      :ok == Auth.check_scopes(access_token, ["query", "query:endpoint:#{endpoint_id}"]) ->
+        conn
+
+      true ->
+        FallbackController.call(conn, {:error, :unauthorized})
+    end
+  end
+
+  # halts all others
+  def call(%{assigns: assigns} = conn, _) when is_map_key(assigns, :resource_type) do
+    FallbackController.call(conn, {:error, :unauthorized})
+  end
+
+  # no resource is set, passthrough
+  def call(conn, _), do: conn
+end
diff --git a/lib/logflare_web/controllers/plugs/verify_resource_ownership.ex b/lib/logflare_web/controllers/plugs/verify_resource_ownership.ex
deleted file mode 100644
index 96ddb4670..000000000
--- a/lib/logflare_web/controllers/plugs/verify_resource_ownership.ex
+++ /dev/null
@@ -1,37 +0,0 @@
-defmodule LogflareWeb.Plugs.VerifyResourceOwnership do
-  @moduledoc """
-  Plug that checks for ownership of the a provided resource.
-
-  If the `:user` assign is not set, verification is assumed to have passed and as passthroguh is performed.
-  If no resource is set, performs a passthrough.
-  """
-  alias Logflare.Source
-  alias Logflare.Endpoints.Query
-  alias Logflare.User
-  alias LogflareWeb.Api.FallbackController
-  def init(_opts), do: nil
-
-  def call(%{assigns: %{endpoint: %Query{enable_auth: false}}} = conn, _opts) do
-    conn
-  end
-
-  # check source
-  def call(%{assigns: %{user: %User{id: id}, source: %Source{user_id: user_id}}} = conn, _opts)
-      when id == user_id do
-    conn
-  end
-
-  # check endpoint
-  def call(%{assigns: %{user: %User{id: id}, endpoint: %Query{user_id: user_id}}} = conn, _opts)
-      when id == user_id do
-    conn
-  end
-
-  # halts all others
-  def call(%{assigns: assigns} = conn, _) when is_map_key(assigns, :resource_type) do
-    FallbackController.call(conn, {:error, :unauthorized})
-  end
-
-  # no resource is set, passthrough
-  def call(conn, _), do: conn
-end
diff --git a/lib/logflare_web/live/access_tokens_live.ex b/lib/logflare_web/live/access_tokens_live.ex
index ecc98fd3c..305022491 100644
--- a/lib/logflare_web/live/access_tokens_live.ex
+++ b/lib/logflare_web/live/access_tokens_live.ex
@@ -3,6 +3,8 @@ defmodule LogflareWeb.AccessTokensLive do
   use LogflareWeb, :live_view
   require Logger
   alias Logflare.Auth
+  alias Logflare.Sources
+  alias Logflare.Endpoints
 
   def render(assigns) do
     ~H"""
@@ -26,27 +28,40 @@ defmodule LogflareWeb.AccessTokensLive do
           The <code>X-API-KEY</code> header method expects the header format <code>X-API-KEY: your-access-token</code>.
           The <code>api_key</code> query parameter method expects the search format <code>?api_key=your-access-token</code>.</p>
 
-        <.form for={%{}} action="#" phx-submit="create-token" class={["mt-4", "jumbotron jumbotron-fluid tw-p-4", if(@show_create_form == false, do: "hidden")]}>
+        <.form for={@create_token_form} action="#" phx-change="update-token-form" phx-submit="create-token" class={["mt-4", "jumbotron jumbotron-fluid tw-p-4", if(@show_create_form == false, do: "hidden")]}>
           <h5>New Access Token</h5>
           <div class="form-group">
             <label name="description">Description</label>
-            <input name="description" autofocus class="form-control" />
+            <input name="description" autofocus class="form-control" value={@create_token_form["description"]} />
             <small class="form-text text-muted">A short description for identifying what this access token is to be used for.</small>
           </div>
 
           <div class="form-group ">
             <label name="scopes" class="tw-mr-3">Scope</label>
             <%= for %{value: value, description: description} <- [%{
-              value: "public",
-              description: "For ingestion and endpoints"
+              value: "ingest",
+              description: "For ingestion into a source. Allows ingest into all sources if no specific source is selected."
             }, %{
+              value: "query",
+              description: "For querying an endpoint. Allows querying of all endpoints if no specific endpoint is selected"
+            },%{
               value: "private",
-              description: "For account management"
+              description: "For account management, has all privileges"
             }] do %>
-              <div class="form-check  form-check-inline tw-mr-2">
-                <input class="form-check-input" type="radio" name="scopes" id={["scopes", value]} value={value} checked={value == "public"} />
-                <label class="form-check-label tw-px-1" for={["scopes", value]}><%= String.capitalize(value) %></label>
-                <small class="form-text text-muted"><%= description %></small>
+              <div class="form-check tw-mr-2">
+                <input class="form-check-input" type="checkbox" name="scopes_main[]" id={["scopes", "main", value]} value={value} checked={value in @create_token_form["scopes_main"]} />
+                <label class="form-check-label tw-px-1" for={["scopes", "main", value]}>
+                  <%= String.capitalize(value) %>
+                  <small class="form-text text-muted"><%= description %></small>
+                  <select :for={input_n <- 0..2} :if={value == "ingest" and value in @create_token_form["scopes_main"]} id={["scopes", "ingest", input_n]} name="scopes_ingest[]" class="mt-1 form-control form-control-sm">
+                    <option hidden value="">Ingest into a specific source...</option>
+                    <option :for={source <- @sources} selected={"ingest:source:#{source.id}" == Enum.at(@create_token_form["scopes_ingest"], input_n)} value={"ingest:source:#{source.id}"} }>Ingest into <%= source.name %> only</option>
+                  </select>
+                  <select :for={input_n <- 0..2} :if={value == "query" and value in @create_token_form["scopes_main"]} id={["scopes", "query", input_n]} name="scopes_query[]" class="mt-1 form-control form-control-sm">
+                    <option hidden value="">Query a specific endpoint...</option>
+                    <option :for={endpoint <- @endpoints} value={"query:endpoint:#{endpoint.id}"} selected={"query:endpoint:#{endpoint.id}" == Enum.at(@create_token_form["scopes_query"], input_n)}>Query <%= endpoint.name %> only</option>
+                  </select>
+                </label>
               </div>
             <% end %>
           </div>
@@ -101,14 +116,20 @@ defmodule LogflareWeb.AccessTokensLive do
                 </span>
               </td>
               <td>
-                <span :for={scope <- String.split(token.scopes || "")} class="badge badge-secondary"><%= scope %></span>
+                <span :for={scope <- String.split(token.scopes || "")} class="badge badge-secondary mr-1">
+                  <%= case scope do
+                    "ingest" <> _ -> get_ingest_label(assigns, scope)
+                    "query" <> _ -> get_query_label(assigns, scope)
+                    scope -> scope
+                  end %>
+                </span>
               </td>
               <td class="p-2 tw-text-sm">
                 <%= Calendar.strftime(token.inserted_at, "%d %b %Y, %I:%M:%S %p") %>
               </td>
 
               <td class="p-2">
-                <button :if={token.scopes =~ "public"} class="btn btn-secondary btn-sm" phx-click={JS.dispatch("logflare:copy-to-clipboard", detail: %{text: token.token})} data-toggle="tooltip" data-placement="top" title="Copy to clipboard">
+                <button :if={!(token.scopes =~ "private")} class="btn btn-secondary btn-sm" phx-click={JS.dispatch("logflare:copy-to-clipboard", detail: %{text: token.token})} data-toggle="tooltip" data-placement="top" title="Copy to clipboard">
                   <i class="fa fa-clone" aria-hidden="true"></i> Copy
                 </button>
                 <button class="btn text-danger btn-sm" data-confirm="Are you sure? This cannot be undone." phx-click="revoke-token" phx-value-token-id={token.id} data-toggle="tooltip" data-placement="top" title="Revoke access token forever">
@@ -123,14 +144,28 @@ defmodule LogflareWeb.AccessTokensLive do
     """
   end
 
+  @default_create_form %{
+    "description" => "",
+    "scopes" => [],
+    "scopes_ingest" => [],
+    "scopes_query" => [],
+    "scopes_main" => ["ingest"]
+  }
   def mount(_params, %{"user_id" => user_id}, socket) do
     user = Logflare.Users.get(user_id)
+    sources = Sources.list_sources_by_user(user)
+    endpoints = Endpoints.list_endpoints_by(user_id: user.id)
 
     socket =
       socket
       |> assign(:user, user)
       |> assign(:show_create_form, false)
       |> assign(:created_token, nil)
+      |> assign(:sources, sources)
+      |> assign(:endpoints, endpoints)
+      |> assign(scopes_ingest_sources: %{})
+      |> assign(scopes_query_endpoints: %{})
+      |> assign(create_token_form: @default_create_form)
       |> do_refresh()
 
     {:ok, socket}
@@ -153,7 +188,21 @@ defmodule LogflareWeb.AccessTokensLive do
       "Creating access token for user, user_id=#{inspect(user.id)}, params: #{inspect(params)}"
     )
 
-    attrs = Map.take(params, ["description", "scopes"])
+    scopes_main = Map.get(params, "scopes_main") || []
+    scopes_ingest = Map.get(params, "scopes_ingest") || []
+    scopes_query = Map.get(params, "scopes_query") || []
+
+    scopes_main =
+      if scopes_ingest != [], do: Enum.filter(scopes_main, &(&1 != "ingest")), else: scopes_main
+
+    scopes_main =
+      if scopes_query != [], do: Enum.filter(scopes_main, &(&1 != "query")), else: scopes_main
+
+    scopes = scopes_main ++ scopes_ingest ++ scopes_query
+
+    attrs =
+      Map.take(params, ["description"])
+      |> Map.put("scopes", Enum.join(scopes, " "))
 
     {:ok, token} = Auth.create_access_token(user, attrs)
 
@@ -161,11 +210,38 @@ defmodule LogflareWeb.AccessTokensLive do
       socket
       |> do_refresh()
       |> assign(:show_create_form, false)
+      |> assign(:create_token_form, @default_create_form)
       |> assign(:created_token, token)
 
     {:noreply, socket}
   end
 
+  def handle_event(
+        "update-token-form",
+        payload,
+        socket
+      ) do
+    data = Map.drop(payload, ["_csrf_token", "_target"])
+
+    data =
+      if "ingest" not in Map.get(data, "scopes_main", []) do
+        Map.put(data, "scopes_ingest", [])
+      else
+        data
+      end
+
+    data =
+      if "query" not in Map.get(data, "scopes_main", []) do
+        Map.put(data, "scopes_query", [])
+      else
+        data
+      end
+
+    merged = Map.merge(socket.assigns.create_token_form, data)
+
+    {:noreply, assign(socket, :create_token_form, merged)}
+  end
+
   def handle_event(
         "revoke-token",
         %{"token-id" => token_id},
@@ -185,8 +261,58 @@ defmodule LogflareWeb.AccessTokensLive do
   defp do_refresh(%{assigns: %{user: user}} = socket) do
     tokens = user |> Auth.list_valid_access_tokens() |> Enum.sort_by(& &1.inserted_at, :desc)
 
+    scopes_ingest_sources =
+      for token <- tokens,
+          str_id <- parse_ingest_scope_source_id(token.scopes),
+          source = Sources.get(str_id),
+          into: socket.assigns.scopes_ingest_sources do
+        {str_id, source}
+      end
+
+    scopes_query_endpoints =
+      for token <- tokens,
+          str_id <- parse_query_scope_endpoint_id(token.scopes),
+          endpoint = Endpoints.get_endpoint_query(str_id),
+          into: socket.assigns.scopes_query_endpoints do
+        {str_id, endpoint}
+      end
+
     socket
     |> assign(access_tokens: tokens)
+    |> assign(scopes_ingest_sources: scopes_ingest_sources)
+    |> assign(scopes_query_endpoints: scopes_query_endpoints)
     |> assign(created_token: nil)
   end
+
+  # get list of string ids from scopes string
+  defp parse_ingest_scope_source_id(scopes) do
+    Regex.scan(~r/ingest:source:([0-9]+)/, scopes, capture: :all_but_first)
+    |> List.flatten()
+  end
+
+  # get list of string ids from scopes string
+  defp parse_query_scope_endpoint_id(scopes) do
+    Regex.scan(~r/query:endpoint:([0-9]+)/, scopes, capture: :all_but_first)
+    |> List.flatten()
+  end
+
+  defp get_query_label(_assigns, "query"), do: "query (all)"
+
+  defp get_query_label(%{scopes_query_endpoints: endpoint_map}, "query:endpoint:" <> str_id) do
+    if endpoint = Map.get(endpoint_map, str_id) do
+      "query (#{endpoint.name})"
+    else
+      "query (deleted)"
+    end
+  end
+
+  defp get_ingest_label(_assigns, "ingest"), do: "ingest (all)"
+
+  defp get_ingest_label(%{scopes_ingest_sources: source_map}, "ingest:source:" <> str_id) do
+    if source = Map.get(source_map, str_id) do
+      "ingest (#{source.name})"
+    else
+      "ingest (deleted)"
+    end
+  end
 end
diff --git a/lib/logflare_web/router.ex b/lib/logflare_web/router.ex
index d72ad3d8e..a5ee417d0 100644
--- a/lib/logflare_web/router.ex
+++ b/lib/logflare_web/router.ex
@@ -70,15 +70,15 @@ defmodule LogflareWeb.Router do
   end
 
   pipeline :require_endpoint_auth do
-    plug(LogflareWeb.Plugs.VerifyApiAccess, scopes: ~w(public))
+    plug(LogflareWeb.Plugs.VerifyApiAccess)
     plug(LogflareWeb.Plugs.FetchResource)
-    plug(LogflareWeb.Plugs.VerifyResourceOwnership)
+    plug(LogflareWeb.Plugs.VerifyResourceAccess)
   end
 
   pipeline :require_ingest_api_auth do
-    plug(LogflareWeb.Plugs.VerifyApiAccess, scopes: ~w(public))
+    plug(LogflareWeb.Plugs.VerifyApiAccess)
     plug(LogflareWeb.Plugs.FetchResource)
-    plug(LogflareWeb.Plugs.VerifyResourceOwnership)
+    plug(LogflareWeb.Plugs.VerifyResourceAccess)
     # We are ensuring source start in Logs.ingest
     # plug LogflareWeb.Plugs.EnsureSourceStarted
     plug(LogflareWeb.Plugs.SetPlanFromCache)
diff --git a/test/logflare/auth_test.exs b/test/logflare/auth_test.exs
index be26155f4..5432c0519 100644
--- a/test/logflare/auth_test.exs
+++ b/test/logflare/auth_test.exs
@@ -41,18 +41,82 @@ defmodule Logflare.AuthTest do
     end
   end
 
-  test "verify_access_token/2 public scope", %{user: user} do
-    # no scope set
+  test "verify_access_token/2 ingest scope", %{user: user} do
+    # no scope set on token, defaults to ingest to any sources
     {:ok, key} = Auth.create_access_token(user)
-    assert {:ok, _} = Auth.verify_access_token(key.token, ~w(public))
-    assert {:ok, _} = Auth.verify_access_token(key.token, "public")
+    assert {:ok, _} = Auth.verify_access_token(key.token, ~w(ingest))
+    assert {:ok, _} = Auth.verify_access_token(key.token, "ingest")
     assert {:ok, _} = Auth.verify_access_token(key.token)
+    assert {:ok, _} = Auth.verify_access_token(key.token, ~w(ingest source:2))
 
     # scope is set
-    {:ok, key} = Auth.create_access_token(user, %{scopes: "public"})
-    assert {:ok, _} = Auth.verify_access_token(key.token, ~w(public))
-    assert {:ok, _} = Auth.verify_access_token(key.token, "public")
+    {:ok, key} = Auth.create_access_token(user, %{scopes: "ingest"})
+    assert {:ok, _} = Auth.verify_access_token(key.token, ~w(ingest))
+    assert {:ok, _} = Auth.verify_access_token(key.token, "ingest")
+    assert {:ok, _} = Auth.verify_access_token(key.token)
+
+    # scope to a specific resource
+    # source and collection are resource aliases. i.e. they refer to the same resource.
+    for name <- ["source", "collection"] do
+      {:ok, key} = Auth.create_access_token(user, %{scopes: "ingest:#{name}:3 ingest:#{name}:1"})
+      assert {:ok, _} = Auth.verify_access_token(key.token, ~w(ingest:#{name}:1))
+      assert {:ok, _} = Auth.verify_access_token(key.token, ~w(ingest:#{name}:3))
+    end
+  end
+
+  test "verify_access_token/2 query scope", %{user: user} do
+    # no scope set on token
+    {:ok, key} = Auth.create_access_token(user)
+    assert {:error, _} = Auth.verify_access_token(key.token, ~w(query))
+
+    # scope is set on token
+    {:ok, key} = Auth.create_access_token(user, %{scopes: "query"})
+    assert {:error, _} = Auth.verify_access_token(key.token, ~w(ingest))
+    assert {:ok, _} = Auth.verify_access_token(key.token, ~w(query))
     assert {:ok, _} = Auth.verify_access_token(key.token)
+
+    # scope to a specific resource
+    {:ok, key} = Auth.create_access_token(user, %{scopes: "query:endpoint:3 query:endpoint:1"})
+    assert {:ok, _} = Auth.verify_access_token(key.token, ~w(query:endpoint:1))
+    assert {:ok, _} = Auth.verify_access_token(key.token, ~w(query:endpoint:3))
+  end
+
+  test "check_scopes/2 private scope ", %{user: user} do
+    {:ok, key} = Auth.create_access_token(user, %{scopes: "private"})
+    assert :ok = Auth.check_scopes(key, ~w(query))
+    assert :ok = Auth.check_scopes(key, ~w(ingest))
+    assert :ok = Auth.check_scopes(key, ~w(ingest:endpoint:3))
+    assert :ok = Auth.check_scopes(key, ~w(ingest:source:3))
+  end
+
+  test "check_scopes/2 default empty scopes", %{user: user} do
+    # empty scopes means ingest into any source, the legacy behaviour
+    {:ok, key} = Auth.create_access_token(user, %{scopes: ""})
+    assert :ok = Auth.check_scopes(key, ~w(ingest))
+    assert :ok = Auth.check_scopes(key, ~w(ingest:source:1))
+  end
+
+  test "check_scopes/2 deprecated public scope", %{user: user} do
+    # empty scopes means ingest into any source, the legacy behaviour
+    {:ok, key} = Auth.create_access_token(user, %{scopes: "public"})
+    assert :ok = Auth.check_scopes(key, ~w(ingest))
+    assert :ok = Auth.check_scopes(key, ~w(ingest:source:1))
+    assert {:error, :unauthorized} = Auth.check_scopes(key, ~w(query))
+    assert {:error, :unauthorized} = Auth.check_scopes(key, ~w(private))
+  end
+
+  test "check_scopes/2 matches all required scopes ", %{user: user} do
+    # should only allow ingest into source 1
+    {:ok, key} = Auth.create_access_token(user, %{scopes: "ingest:source:1 ingest:source:4"})
+    assert {:error, _} = Auth.check_scopes(key, ~w(ingest))
+    assert {:error, _} = Auth.check_scopes(key, ~w(ingest:source:3))
+    assert {:error, _} = Auth.check_scopes(key, ~w(query))
+    assert {:error, _} = Auth.check_scopes(key, ~w(query:source:4))
+    assert {:error, _} = Auth.check_scopes(key, ~w(query:source:1))
+
+    assert :ok = Auth.check_scopes(key, ~w(ingest:source:1))
+    assert :ok = Auth.check_scopes(key, ~w(ingest:source:4))
+    assert :ok = Auth.check_scopes(key, ~w(ingest:source:4 ingest:source:1))
   end
 
   test "verify_access_token/2 private scope", %{user: user} do
diff --git a/test/logflare_web/live/access_tokens_live_test.exs b/test/logflare_web/live/access_tokens_live_test.exs
index 4ef0a4f44..e642926d4 100644
--- a/test/logflare_web/live/access_tokens_live_test.exs
+++ b/test/logflare_web/live/access_tokens_live_test.exs
@@ -31,7 +31,7 @@ defmodule LogflareWeb.AccessTokensLiveTest do
     assert html =~ "Copy"
   end
 
-  test "public token", %{conn: conn, user: user} do
+  test "deprecated: public token", %{conn: conn, user: user} do
     token = insert(:access_token, scopes: "public", resource_owner: user)
     {:ok, view, _html} = live(conn, ~p"/access-tokens")
     html = render(view)
@@ -46,22 +46,63 @@ defmodule LogflareWeb.AccessTokensLiveTest do
     assert html =~ "No description"
   end
 
-  test "create private token", %{conn: conn} do
+  test "create token - ingest into all", %{conn: conn} do
     {:ok, view, _html} = live(conn, ~p"/access-tokens")
+    do_ui_create_token(view, "ingest")
+    html = view |> element("table") |> render()
+    # able to copy, visible
+    assert view
+           |> element("button", "Copy")
+           |> has_element?()
+
+    assert html =~ "ingest"
+  end
 
+  test "create token - ingest into one source", %{conn: conn, user: user} do
+    source = insert(:source, user: user)
+    {:ok, view, _html} = live(conn, ~p"/access-tokens")
+    html = do_ui_create_token(view, "ingest:source:#{source.id}")
+    # able to copy, visible
     assert view
-           |> element("button", "Create access token")
-           |> render_click()
+           |> element("button", "Copy")
+           |> has_element?()
 
-    assert view |> element("button", "Create") |> has_element?()
-    assert view |> element("label", "Scope") |> has_element?()
+    assert html =~ "ingest (#{source.name})"
+    refute html =~ "ingest (all)"
+  end
+
+  test "create token - query for one endpoint", %{conn: conn, user: user} do
+    endpoint = insert(:endpoint, user: user)
+    {:ok, view, _html} = live(conn, ~p"/access-tokens")
+    do_ui_create_token(view, "query:endpoint:#{endpoint.id}")
 
     assert view
-           |> element("form")
-           |> render_submit(%{
-             description: "some description",
-             scopes: "private"
-           }) =~ "created successfully"
+           |> element("button", "Copy")
+           |> has_element?()
+
+    html = view |> element("table") |> render()
+    assert html =~ "query (#{endpoint.name})"
+    refute html =~ "query (all)"
+  end
+
+  test "create ingest token", %{conn: conn} do
+    {:ok, view, _html} = live(conn, ~p"/access-tokens")
+
+    do_ui_create_token(view, "ingest")
+
+    assert view
+           |> element("button", "Copy")
+           |> has_element?()
+
+    html = view |> element("table") |> render()
+    assert html =~ "some description"
+    assert html =~ "ingest (all)"
+  end
+
+  test "create private token", %{conn: conn} do
+    {:ok, view, _html} = live(conn, ~p"/access-tokens")
+
+    do_ui_create_token(view, "private")
 
     html = view |> element("table") |> render()
     assert html =~ "some description"
@@ -81,4 +122,25 @@ defmodule LogflareWeb.AccessTokensLiveTest do
     refute html =~ token.token
     assert html =~ "private"
   end
+
+  # returns the rendered table html
+  defp do_ui_create_token(view, scopes) do
+    assert view
+           |> element("button", "Create access token")
+           |> render_click()
+
+    assert view |> element("button", "Create") |> has_element?()
+    assert view |> element("label", "Scope") |> has_element?()
+
+    assert view
+           |> element("form")
+           |> render_submit(%{
+             description: "some description",
+             scopes_main: if(scopes =~ ":", do: [], else: [scopes]),
+             scopes_ingest: if(scopes =~ "ingest:", do: [], else: [scopes]),
+             scopes_query: if(scopes =~ "query:", do: [], else: [scopes])
+           }) =~ "created successfully"
+
+    view |> element("table") |> render()
+  end
 end
diff --git a/test/logflare_web/plugs/verify_api_access_test.exs b/test/logflare_web/plugs/verify_api_access_test.exs
index 3947bf8c7..ead926161 100644
--- a/test/logflare_web/plugs/verify_api_access_test.exs
+++ b/test/logflare_web/plugs/verify_api_access_test.exs
@@ -176,34 +176,6 @@ defmodule LogflareWeb.Plugs.VerifyApiAccessTest do
     end
   end
 
-  test "public scope", %{user: user} do
-    {:ok, access_token} = Logflare.Auth.create_access_token(user, %{scopes: "public"})
-
-    build_conn(:get, "/any", %{})
-    |> put_req_header("x-api-key", access_token.token)
-    |> VerifyApiAccess.call(%{scopes: ~w(public)})
-    |> assert_authorized(user)
-
-    build_conn(:get, "/any", %{})
-    |> put_req_header("x-api-key", access_token.token)
-    |> VerifyApiAccess.call(%{scopes: ~w(public)})
-    |> assert_authorized(user)
-
-    # no scope set
-    {:ok, access_token} = Logflare.Auth.create_access_token(user)
-
-    build_conn(:get, "/any", %{})
-    |> put_req_header("x-api-key", access_token.token)
-    |> VerifyApiAccess.call(%{scopes: ~w(public)})
-    |> assert_authorized(user)
-
-    # user.api_key
-    build_conn(:get, "/any", %{})
-    |> put_req_header("x-api-key", user.api_key)
-    |> VerifyApiAccess.call(%{scopes: ~w(public)})
-    |> assert_authorized(user)
-  end
-
   test "private scope", %{user: user} do
     {:ok, access_token} = Logflare.Auth.create_access_token(user, %{scopes: "private"})
 
diff --git a/test/logflare_web/plugs/verify_resource_access_test.exs b/test/logflare_web/plugs/verify_resource_access_test.exs
new file mode 100644
index 000000000..5828b4af6
--- /dev/null
+++ b/test/logflare_web/plugs/verify_resource_access_test.exs
@@ -0,0 +1,178 @@
+defmodule LogflareWeb.Plugs.VerifyResourceAccessTest do
+  @moduledoc false
+  use LogflareWeb.ConnCase
+  alias LogflareWeb.Plugs.VerifyResourceAccess
+
+  setup do
+    user = insert(:user)
+    endpoint = insert(:endpoint, user: user, enable_auth: true)
+    source = insert(:source, user: user)
+    {:ok, user: user, source: source, endpoint: endpoint}
+  end
+
+  describe "source" do
+    setup %{source: source, user: user} do
+      conn =
+        build_conn(:post, "/logs", %{"source" => Atom.to_string(source.token)})
+        |> assign(:user, user)
+        |> assign(:source, source)
+        |> assign(:resource_type, :source)
+
+      [conn: conn]
+    end
+
+    test "valid - ingest into any", %{conn: initial, user: user} do
+      for scopes <- [
+            "",
+            "public",
+            "ingest"
+          ] do
+        {:ok, access_token} = Logflare.Auth.create_access_token(user, %{scopes: scopes})
+
+        conn =
+          initial
+          |> assign(:access_token, access_token)
+          |> VerifyResourceAccess.call(%{})
+
+        refute conn.halted
+      end
+    end
+
+    test "valid - ingest into one source", %{conn: conn, source: source, user: user} do
+      {:ok, access_token} =
+        Logflare.Auth.create_access_token(user, %{scopes: "ingest:source:#{source.id}"})
+
+      conn =
+        conn
+        |> assign(:access_token, access_token)
+        |> VerifyResourceAccess.call(%{})
+
+      refute conn.halted
+    end
+
+    test "invalid - no access token", %{conn: initial_conn, source: source, user: user} do
+      # no access token
+      conn =
+        initial_conn
+        |> assign(:user, insert(:user))
+        |> VerifyResourceAccess.call(%{})
+
+      assert conn.halted
+      assert conn.status == 401
+
+      # invalid scope check
+      {:ok, access_token} =
+        Logflare.Auth.create_access_token(user, %{scopes: "ingest:source:#{source.id + 4}"})
+
+      conn =
+        initial_conn
+        |> assign(:access_token, access_token)
+        |> VerifyResourceAccess.call(%{})
+
+      assert conn.halted
+      assert conn.status == 401
+    end
+
+    test "invalid - specific source", %{conn: initial_conn, source: source, user: user} do
+      {:ok, access_token} =
+        Logflare.Auth.create_access_token(user, %{scopes: "ingest:source:#{source.id + 4}"})
+
+      conn =
+        initial_conn
+        |> assign(:access_token, access_token)
+        |> VerifyResourceAccess.call(%{})
+
+      assert conn.halted and conn.status == 401
+    end
+  end
+
+  describe "endpoints" do
+    setup %{endpoint: endpoint, user: user} do
+      conn =
+        build_conn(:get, "/endpoints/query/#{endpoint.token}", %{"token" => endpoint.token})
+        |> assign(:user, user)
+        |> assign(:resource_type, :endpoint)
+        |> assign(:endpoint, endpoint)
+
+      [conn: conn]
+    end
+
+    test "valid - query one", %{conn: conn, user: user, endpoint: endpoint} do
+      {:ok, access_token} =
+        Logflare.Auth.create_access_token(user, %{scopes: "query:endpoint:#{endpoint.id}"})
+
+      conn =
+        conn
+        |> assign(:access_token, access_token)
+        |> VerifyResourceAccess.call(%{})
+
+      refute conn.halted
+    end
+
+    test "valid - query any", %{conn: conn, user: user} do
+      {:ok, access_token} = Logflare.Auth.create_access_token(user, %{scopes: "query"})
+
+      conn =
+        conn
+        |> assign(:access_token, access_token)
+        |> VerifyResourceAccess.call(%{})
+
+      refute conn.halted
+    end
+
+    test "invalid - wrong scope action", %{conn: conn, user: user} do
+      {:ok, access_token} = Logflare.Auth.create_access_token(user, %{scopes: "ingest"})
+
+      conn =
+        conn
+        |> assign(:access_token, access_token)
+        |> VerifyResourceAccess.call(%{})
+
+      assert conn.halted and conn.status == 401
+    end
+
+    test "invalid - wrong resource scope", %{conn: conn, user: user, endpoint: endpoint} do
+      {:ok, access_token} =
+        Logflare.Auth.create_access_token(user, %{scopes: "query:endpoint:#{endpoint.id + 4}"})
+
+      conn =
+        conn
+        |> assign(:access_token, access_token)
+        |> VerifyResourceAccess.call(%{})
+
+      assert conn.halted and conn.status == 401
+    end
+
+    test "invalid - no scope", %{conn: conn, user: user} do
+      {:ok, access_token} = Logflare.Auth.create_access_token(user, %{scopes: ""})
+
+      conn =
+        conn
+        |> assign(:access_token, access_token)
+        |> VerifyResourceAccess.call(%{})
+
+      assert conn.halted and conn.status == 401
+    end
+  end
+
+  test "no resource provided", %{user: user} do
+    conn =
+      build_conn(:get, "/any", %{})
+      |> assign(:user, user)
+
+    refute conn.halted
+  end
+
+  test "no user/resource provided" do
+    conn = build_conn(:get, "/any", %{})
+    refute conn.halted
+  end
+
+  test "no user provided", %{endpoint: endpoint} do
+    conn =
+      build_conn(:get, "/any", %{})
+      |> assign(:endpoint, endpoint)
+
+    refute conn.halted
+  end
+end
diff --git a/test/logflare_web/plugs/verify_resource_ownership_test.exs b/test/logflare_web/plugs/verify_resource_ownership_test.exs
deleted file mode 100644
index 417cf077d..000000000
--- a/test/logflare_web/plugs/verify_resource_ownership_test.exs
+++ /dev/null
@@ -1,91 +0,0 @@
-defmodule LogflareWeb.Plugs.VerifyResourceOwnershipTest do
-  @moduledoc false
-  use LogflareWeb.ConnCase
-  alias LogflareWeb.Plugs.VerifyResourceOwnership
-
-  setup do
-    user = insert(:user)
-    endpoint = insert(:endpoint, user: user, enable_auth: true)
-    source = insert(:source, user: user)
-    {:ok, user: user, source: source, endpoint: endpoint}
-  end
-
-  describe "source" do
-    setup %{source: source, user: user} do
-      conn =
-        build_conn(:post, "/logs", %{"source" => Atom.to_string(source.token)})
-        |> assign(:user, user)
-        |> assign(:source, source)
-        |> assign(:resource_type, :source)
-
-      [conn: conn]
-    end
-
-    test "valid", %{conn: conn} do
-      conn = VerifyResourceOwnership.call(conn, %{})
-
-      refute conn.halted
-    end
-
-    test "invalid", %{conn: conn} do
-      conn =
-        conn
-        |> assign(:user, insert(:user))
-        |> VerifyResourceOwnership.call(%{})
-
-      assert conn.halted
-      assert conn.status == 401
-    end
-  end
-
-  describe "endpoints" do
-    setup %{endpoint: endpoint, user: user} do
-      conn =
-        build_conn(:get, "/endpoints/query/#{endpoint.token}", %{"token" => endpoint.token})
-        |> assign(:user, user)
-        |> assign(:resource_type, :endpoint)
-        |> assign(:endpoint, endpoint)
-
-      [conn: conn]
-    end
-
-    test "valid", %{conn: conn} do
-      conn =
-        conn
-        |> VerifyResourceOwnership.call(%{})
-
-      refute conn.halted
-    end
-
-    test "invalid", %{conn: conn} do
-      conn =
-        conn
-        |> assign(:user, insert(:user))
-        |> VerifyResourceOwnership.call(%{})
-
-      assert conn.halted
-      assert conn.status == 401
-    end
-  end
-
-  test "no resource provided", %{user: user} do
-    conn =
-      build_conn(:get, "/any", %{})
-      |> assign(:user, user)
-
-    refute conn.halted
-  end
-
-  test "no user/resource provided" do
-    conn = build_conn(:get, "/any", %{})
-    refute conn.halted
-  end
-
-  test "no user provided", %{endpoint: endpoint} do
-    conn =
-      build_conn(:get, "/any", %{})
-      |> assign(:endpoint, endpoint)
-
-    refute conn.halted
-  end
-end