Passing data to or from Xero is done by first specifying an endpoint (EP). EPs roughly translate to tables but each EP can involve more than one table. For example a response from the Invoices EP can also give you aggregated totals for Payments and Credit Notes applied to each invoice.
Your API call can then supply parameters such as requesting only invoices that were created or modified after a specified Date/Time or to get more details for a single specified Invoice ID.
The EPs your application can access are defined by the Scope you specify and by the authority of the person who authorised your connection.
Granting authority in Xero to a user does not seem to correlate very well with the Scopes that can be specified for the API. So I’m still in the trial and error stage of that development. For now, I’m just having someone with supreme authority authorising the application’s connection.
Scopes can be very specific or general. For example the Scope: accounting.transactions will allow your application to access any of the following: BankTransactions, BankTransfers, BatchPayments, CreditNotes, ExpenseClaims, Invoices, LinkedTransactions, ManualJournals, Overpayments, Quotes, Payments, Prepayments, PurchaseOrders, Receipts, RepeatingInvoices
Or you can specify just the individual scopes. See the link above for more detail.
But the main point is that the person authorising your access using xoAuth must have the authority for the specified scopes.