diff --git a/examples/nodejs/token-vending-machine/lambda/token-vending-machine/config.ts b/examples/nodejs/token-vending-machine/lambda/token-vending-machine/config.ts
index 9b51e06ef..4752b2616 100644
--- a/examples/nodejs/token-vending-machine/lambda/token-vending-machine/config.ts
+++ b/examples/nodejs/token-vending-machine/lambda/token-vending-machine/config.ts
@@ -17,11 +17,11 @@ import {AllDataReadWrite, TopicRole, CacheRole, ExpiresIn, TokenScope, AllTopics
  *    export const tokenPermissions: TokenScope =  {
  *      permissions: [
  *        {
- *          role: CacheRole.ReadWrite | CacheRole.ReadOnly, 
+ *          role: CacheRole.ReadWrite | CacheRole.ReadOnly | CacheRole.WriteOnly, 
  *          cache: AllCaches | "your-cache-name"
  *        },
  *        {
- *          role: TopicRole.PublishSubscribe | TopicRole.SubscribeOnly, 
+ *          role: TopicRole.PublishSubscribe | TopicRole.SubscribeOnly | TopicRole.PublishOnly, 
  *          cache: AllCaches | "your-cache-name",
  *          topic: AllTopics | "your-topic-name"
  *        }
diff --git a/examples/web/nextjs-chat/src/app/api/momento/token/config.ts b/examples/web/nextjs-chat/src/app/api/momento/token/config.ts
index e9d93656a..974a1120c 100644
--- a/examples/web/nextjs-chat/src/app/api/momento/token/config.ts
+++ b/examples/web/nextjs-chat/src/app/api/momento/token/config.ts
@@ -23,11 +23,11 @@ import {
  *    export const tokenPermissions: TokenScope =  {
  *      permissions: [
  *        {
- *          role: CacheRole.ReadWrite | CacheRole.ReadOnly,
+ *          role: CacheRole.ReadWrite | CacheRole.ReadOnly | CacheRole.WriteOnly,
  *          cache: AllCaches | "your-cache-name"
  *        },
  *        {
- *          role: TopicRole.PublishSubscribe | TopicRole.SubscribeOnly,
+ *          role: TopicRole.PublishSubscribe | TopicRole.SubscribeOnly | TopicRole.PublishOnly,
  *          cache: AllCaches | "your-cache-name",
  *          topic: AllTopics | "your-topic-name"
  *        }
diff --git a/packages/core/src/auth/tokens/token-scope.ts b/packages/core/src/auth/tokens/token-scope.ts
index 509a12e39..64b3c4686 100644
--- a/packages/core/src/auth/tokens/token-scope.ts
+++ b/packages/core/src/auth/tokens/token-scope.ts
@@ -1,6 +1,7 @@
 export enum CacheRole {
   ReadWrite = 'readwrite',
   ReadOnly = 'readonly',
+  WriteOnly = 'writeonly',
 }
 
 class All {}
@@ -39,6 +40,7 @@ export function asCachePermission(p: Permission): CachePermission {
 export enum TopicRole {
   PublishSubscribe = 'publishsubscribe',
   SubscribeOnly = 'subscribeonly',
+  PublishOnly = 'publishonly',
 }
 
 export interface TopicName {
diff --git a/packages/core/src/auth/tokens/token-scopes.ts b/packages/core/src/auth/tokens/token-scopes.ts
index 952eba82a..d73130f91 100644
--- a/packages/core/src/auth/tokens/token-scopes.ts
+++ b/packages/core/src/auth/tokens/token-scopes.ts
@@ -18,6 +18,12 @@ export function cacheReadOnly(cacheSelector: CacheSelector): TokenScope {
   };
 }
 
+export function cacheWriteOnly(cacheSelector: CacheSelector): TokenScope {
+  return {
+    permissions: [{role: CacheRole.WriteOnly, cache: cacheSelector}],
+  };
+}
+
 export function topicSubscribeOnly(
   cacheSelector: CacheSelector,
   topicSelector: TopicSelector
@@ -47,3 +53,18 @@ export function topicPublishSubscribe(
     ],
   };
 }
+
+export function topicPublishOnly(
+  cacheSelector: CacheSelector,
+  topicSelector: TopicSelector
+): TokenScope {
+  return {
+    permissions: [
+      {
+        role: TopicRole.PublishOnly,
+        cache: cacheSelector,
+        topic: topicSelector,
+      },
+    ],
+  };
+}
diff --git a/packages/core/test/unit/auth/token-scope.test.ts b/packages/core/test/unit/auth/token-scope.test.ts
index 600328027..a4fb8eddf 100644
--- a/packages/core/test/unit/auth/token-scope.test.ts
+++ b/packages/core/test/unit/auth/token-scope.test.ts
@@ -215,6 +215,20 @@ describe('TokenScope', () => {
         permissions: [{role: CacheRole.ReadOnly, cache: {name: 'mycache'}}],
       });
     });
+    it('cacheWriteOnly', () => {
+      let scope: TokenScope = TokenScopes.cacheWriteOnly('mycache');
+      expect(scope).toEqual({
+        permissions: [{role: CacheRole.WriteOnly, cache: 'mycache'}],
+      });
+      scope = TokenScopes.cacheWriteOnly(AllCaches);
+      expect(scope).toEqual({
+        permissions: [{role: CacheRole.WriteOnly, cache: AllCaches}],
+      });
+      scope = TokenScopes.cacheWriteOnly({name: 'mycache'});
+      expect(scope).toEqual({
+        permissions: [{role: CacheRole.WriteOnly, cache: {name: 'mycache'}}],
+      });
+    });
     it('topicSubscribeOnly', () => {
       let scope: TokenScope = TokenScopes.topicSubscribeOnly(
         'mycache',
@@ -245,6 +259,36 @@ describe('TokenScope', () => {
         ],
       });
     });
+    it('topicPublishOnly', () => {
+      let scope: TokenScope = TokenScopes.topicPublishOnly(
+        'mycache',
+        'mytopic'
+      );
+      expect(scope).toEqual({
+        permissions: [
+          {role: TopicRole.PublishOnly, cache: 'mycache', topic: 'mytopic'},
+        ],
+      });
+      scope = TokenScopes.topicPublishOnly(AllCaches, AllTopics);
+      expect(scope).toEqual({
+        permissions: [
+          {role: TopicRole.PublishOnly, cache: AllCaches, topic: AllTopics},
+        ],
+      });
+      scope = TokenScopes.topicPublishOnly(
+        {name: 'mycache'},
+        {name: 'mytopic'}
+      );
+      expect(scope).toEqual({
+        permissions: [
+          {
+            role: TopicRole.PublishOnly,
+            cache: {name: 'mycache'},
+            topic: {name: 'mytopic'},
+          },
+        ],
+      });
+    });
     it('topicPublishSubscribe', () => {
       let scope: TokenScope = TokenScopes.topicPublishSubscribe(
         'mycache',