<resource>:<action>. Resources are things like pages, secrets, domains. Actions are one of four verbs. Workspace API keys are minted with an explicit scope set; OAuth session tokens inherit the authenticated user’s permissions for the active workspace.
The four action verbs
The implication chain
:destructive implies :write, and :write implies :read. A token granted tokens:destructive can also read and write tokens — it holds the full chain.
The chain is a convenience for the broad cases. The recommendation is the opposite: grant the narrowest verb that does the job. If your integration only lists tokens, grant tokens:read and stop. Broad grants compound over time, and a key that holds more than it needs is the one that hurts when it leaks.
Scope catalogue
Every endpoint in the public API is in this table. If you can’t find an endpoint here, it’s not callable with an API key — it’s an internal route or requires an OAuth session.Why secrets:set is its own verb
Secrets break the implication chain on purpose. A secret value is write-only — once stored, it can never be read back through the API, not even by the key that wrote it. That’s why secrets:set is separate from secrets:write: writing the value of a secret is a different operation from rotating one, and the platform won’t let you confuse them.
The practical consequence: a key that injects secrets into a vault (CI, a deploy pipeline) gets secrets:set. A key that manages secret lifecycle (rotation, deletion) gets secrets:write or secrets:destructive. A key that only proxies through to a downstream service via the secret value gets secrets:read — which returns metadata and a proxy URL, never the value.
Minting a least-privilege key
API keys vs. OAuth — which to issue
The two credential types exist for different consumers; they aren’t interchangeable. The decision rule: if a person clicks a button to start the flow, OAuth. If a cron job or a CI runner starts it, API key.Authentication reference
Token formats, OAuth 2.1 PKCE flow, token lifecycle operations, and the full error code table.