Scopes & permissions

The per-resource CRUD scope model, how actions map, and the full resource list.

Scopes & permissions

Each API key is granted a set of scopes. A scope is one action on one resource, written resource.action, for example leads.read or invoices.create.

The four actions are:

ActionGranted for endpoints that...
readlist, get, search, preview, or export records.
createcreate a new record (create, add, invite, import, duplicate).
updatechange an existing record (edit, set, assign, claim, approve, submit, reorder, trigger, run).
deleteremove or disable a record (delete, remove, cancel, revoke, archive).

Every endpoint declares the single scope it needs. A request is allowed only when the key grants that exact resource.action. Two important rules:

  • Fail closed. Endpoints that are not part of the public API (for example platform super-admin, billing changes, and API-key management itself) have no scope and can never be called with a key, no matter what it is granted.
  • Scope is the only limit. A key acts with full workspace authority bounded by its scopes (see Authentication). Grant the minimum.

A call without the needed scope returns 403 with a message naming the missing scope, so you can tell exactly what to add.

Resources

Most resources support all four actions (read, create, update, delete). The exceptions are listed with their available actions.

CRM

clients, clientContacts, clientFiles, clientTasks, clientUsers, clientPasswords, leads, quotes, recurringQuotes, invoices, payments, expenses, projects, projectKpis - full CRUD. contacts - read only.

Finance

paymentAccounts, statementEntries - full CRUD. finance - read only (dashboards / reports).

Work

tasks, recurringTasks, workflows - full CRUD. submissions - update, delete (approve / reject / revise / delete a task submission). files - read, create. meetings, chat, passwords - full CRUD. rewards - read, create.

Inventory

inventoryItems, inventoryLocations, inventoryFields - full CRUD. inventoryMovements - read, update (record movements / transfers / reconcile).

People & org

users, teams, roles, holidays - full CRUD. org - full CRUD (organisation settings, members, invites). notifications, emailSenders, shortUrls - full CRUD. audit - read only.

The endpoint name is resource.procedure (for example clients.getAll, tasks.create). The scope it needs is resource.action. When in doubt, make the call: a 403 response names the exact scope required.