Scopes & permissions
The per-resource CRUD scope model, how actions map, and the full resource list.
Scopes & permissions
Each API key is granted a set of scopes. A scope is one action on one
resource, written resource.action, for example leads.read or
invoices.create.
The four actions are:
| Action | Granted for endpoints that... |
|---|---|
read | list, get, search, preview, or export records. |
create | create a new record (create, add, invite, import, duplicate). |
update | change an existing record (edit, set, assign, claim, approve, submit, reorder, trigger, run). |
delete | remove or disable a record (delete, remove, cancel, revoke, archive). |
Every endpoint declares the single scope it needs. A request is allowed only
when the key grants that exact resource.action. Two important rules:
- Fail closed. Endpoints that are not part of the public API (for example platform super-admin, billing changes, and API-key management itself) have no scope and can never be called with a key, no matter what it is granted.
- Scope is the only limit. A key acts with full workspace authority bounded by its scopes (see Authentication). Grant the minimum.
A call without the needed scope returns 403 with a message naming the missing
scope, so you can tell exactly what to add.
Resources
Most resources support all four actions (read, create, update, delete).
The exceptions are listed with their available actions.
CRM
clients, clientContacts, clientFiles, clientTasks, clientUsers,
clientPasswords, leads, quotes, recurringQuotes, invoices,
payments, expenses, projects, projectKpis - full CRUD.
contacts - read only.
Finance
paymentAccounts, statementEntries - full CRUD.
finance - read only (dashboards / reports).
Work
tasks, recurringTasks, workflows - full CRUD.
submissions - update, delete (approve / reject / revise / delete a task submission).
files - read, create.
meetings, chat, passwords - full CRUD.
rewards - read, create.
Inventory
inventoryItems, inventoryLocations, inventoryFields - full CRUD.
inventoryMovements - read, update (record movements / transfers / reconcile).
People & org
users, teams, roles, holidays - full CRUD.
org - full CRUD (organisation settings, members, invites).
notifications, emailSenders, shortUrls - full CRUD.
audit - read only.
The endpoint name is
resource.procedure(for exampleclients.getAll,tasks.create). The scope it needs isresource.action. When in doubt, make the call: a403response names the exact scope required.