Scopes

Scope matrix for Management API keys.

Management API keys are denied by default. A route requires both the matching scope and, when the route targets an application, access to that application.

Dashboard sessions bypass scope checks because the session belongs to the account owner. Management API keys never bypass scope or application-access checks.

ScopeAllows
applications:readList applications and read application settings.
applications:createCreate applications. Requires all-application access.
applications:updateUpdate application settings, license levels, and application API keys.
applications:deleteDelete applications.
licenses:readRead license metadata and tables.
licenses:createCreate licenses.
licenses:updatePause, extend, reset, blacklist, reinitialize, link, or edit licenses.
licenses:deleteDelete one or all licenses.
app_users:readRead app user metadata and tables.
app_users:createCreate app users.
app_users:updateReset client id, link license, or edit app users.
app_users:deleteDelete one or all app users.
blacklists:readRead blacklist metadata and tables.
blacklists:createCreate blacklist entries.
blacklists:updateEdit blacklist entries.
blacklists:deleteDelete one or all blacklist entries.
variables:readRead variables.
variables:createCreate variables.
variables:updateEdit variables.
variables:deleteDelete variables.
files:readRead file metadata and file tables.
files:uploadRequest file upload URLs and check upload state.
files:deleteDelete files or rename file records.
sessions:readRead live session data.
sessions:disconnectDisconnect live sessions.
account:readRead account plan limits.

Application access

Each key can be created with:

  • allApplications: true, which allows any current or future application;
  • allApplications: false plus applicationIds, which restricts the key to specific applications.

Routes without applicationId use only the scope check. Routes with applicationId also require access to that application.

Action scopes

Action endpoints choose their scope from the requested action:

EndpointDelete actionsOther actions
/license-actionlicenses:deletelicenses:update
/users-actionapp_users:deleteapp_users:update
/blacklist-actionblacklists:deleteNot applicable
/file-actionfiles:deletefiles:delete

Authentication

Authenticate Management API requests with a Bearer token.

Endpoints

Current Management API endpoint groups and required scopes.

On this page

Application accessAction scopes