Scopes

API key scopes and access levels

Overview

API key scopes control which resources a key can access and what actions it can perform. Each scope follows a resource:level pattern.

Access Levels

Scope levels are hierarchical — higher levels include the permissions of lower levels:

LevelGrants
readView and list resources
createEverything in read, plus create new resources
writeEverything in create, plus update and delete resources

For example, a key with builds:write can read, create, update, and delete builds.


Workspace Key Scopes

Workspace API keys can be assigned any combination of the following scopes:

ScopeDescription
workspace:readAccess workspace labels, default streams, and custom targets
members:readList workspace members
applications:readList and view all applications in the workspace
applications:createCreate new applications
applications:writeUpdate, delete applications and manage their streams, labels, and platforms
builds:readList and view builds, download build files and metadata
builds:createUpload new builds
builds:writeUpdate, delete builds and manage build labels, stream, and architectures
releases:readList and view releases
releases:createCreate new releases
releases:writeUpdate, delete releases and manage release builds and labels
share_links:readList share links on builds and releases
share_links:createCreate new share links
share_links:writeDelete share links
distribution_groups:readList and view distribution groups
distribution_groups:createCreate new distribution groups
distribution_groups:writeUpdate, delete distribution groups and manage their releases
portals:readList and view portals and portal content
portals:writeUpdate, delete portals and publish/remove releases
webhooks:readList and view webhooks and webhook request history
webhooks:createCreate new webhooks
webhooks:writeUpdate, delete, and test webhooks

The workspace and members scopes are only available on workspace-level API keys. Some endpoints like GET /workspace require no scope at all.


Application Key Scopes

Application API keys are scoped to a single application and can only access a subset of resources:

ScopeDescription
application:readView the application's own details
application:writeUpdate application details (name, description, and related settings)
members:readList members with access to this application
members:writeUpdate application member roles
members:createInvite or add members to the application (not yet available via API)
builds:readList and view builds for this application
builds:createUpload new builds to this application
builds:writeUpdate, delete builds and manage labels, stream, and architectures
releases:readList and view releases for this application
releases:createCreate new releases
releases:writeUpdate, delete releases and manage release builds and labels
share_links:readList share links on this application's builds and releases
share_links:createCreate new share links
share_links:writeDelete share links
webhooks:readList and view webhooks for this application
webhooks:createCreate new webhooks
webhooks:writeUpdate, delete, and test webhooks

Application keys cannot access workspace-level resources such as applications (listing all apps), distribution_groups, portals, or workspace settings. They also cannot access resources belonging to other applications.


Scope Errors

If a request is made without the required scope, the API returns 403 Forbidden:

{
  "message": "This action requires 'builds:read' scope."
}

Each endpoint's documentation notes which scope is required.