Scopes
Every access key carries a set of scopes that limit what the key can do. Grant only what is needed.
Browser sessions (cookie-based login) always have full access and are not subject to scope restrictions.
Available scopes
Section titled “Available scopes”| Scope | Description |
|---|---|
categories:read | List and view key categories |
categories:write | Create, update, and delete categories |
entries:read | List and view entries (without values) |
entries:write | Create, update, and delete entries |
entries:reveal | Decrypt and reveal entry values |
2fa:read | List and view 2FA tokens (without codes) |
2fa:write | Create, update, and delete 2FA tokens |
2fa:reveal | Reveal 2FA recovery codes |
envs:read | List and view env projects and files |
envs:write | Create, update, and delete env projects/files |
envs:reveal | Decrypt and reveal env file content |
stats:read | Read dashboard statistics |
export:read | Export all entries as a .env file |
ai:extract | Use AI extraction to generate .env snippets |
Scope mapping to endpoints
Section titled “Scope mapping to endpoints”| Endpoint | Method | Required scope |
|---|---|---|
/api/categories | GET | categories:read |
/api/categories | POST | categories:write |
/api/categories/{id} | GET | categories:read |
/api/categories/{id} | PUT | categories:write |
/api/categories/{id} | DELETE | categories:write |
/api/entries | GET | entries:read |
/api/entries | POST | entries:write |
/api/entries/{id} | GET | entries:read |
/api/entries/{id} | PUT | entries:write |
/api/entries/{id} | DELETE | entries:write |
/api/entries/{id}/reveal | POST | entries:reveal |
/api/entries/project-names | GET | entries:read |
/api/2fa | GET | 2fa:read |
/api/2fa | POST | 2fa:write |
/api/2fa/{id} | PUT | 2fa:write |
/api/2fa/{id} | DELETE | 2fa:write |
/api/2fa/{id}/reveal | POST | 2fa:reveal |
/api/envs | GET | envs:read |
/api/envs | POST | envs:write |
/api/envs/{id} | GET | envs:read |
/api/envs/{id} | PUT | envs:write |
/api/envs/{id} | DELETE | envs:write |
/api/envs/{id}/files | GET | envs:read |
/api/envs/{id}/files | POST | envs:write |
/api/envs/{id}/files/{fileId} | DELETE | envs:write |
/api/envs/{id}/files/{fileId}/reveal | POST | envs:reveal |
/api/stats | GET | stats:read |
/api/export | GET | export:read |
/api/ai/extract | POST | ai:extract |
/api/access-keys | GET, POST | (session auth only) |
/api/access-keys/{id} | DELETE | (session auth only) |
/api/account/data | DELETE | (session auth only) |
/api/openapi | GET | (public, no auth) |
Recommended scope sets
Section titled “Recommended scope sets”Read-only automation (e.g., deployment scripts that only read secrets)
Section titled “Read-only automation (e.g., deployment scripts that only read secrets)”["entries:read", "entries:reveal"]CI/CD pipeline that also generates .env files
Section titled “CI/CD pipeline that also generates .env files”["categories:read", "entries:read", "entries:reveal", "ai:extract"]Env file management
Section titled “Env file management”["envs:read", "envs:write", "envs:reveal"]Full API access (admin-equivalent, no key management)
Section titled “Full API access (admin-equivalent, no key management)”[ "categories:read", "categories:write", "entries:read", "entries:write", "entries:reveal", "2fa:read", "2fa:write", "2fa:reveal", "envs:read", "envs:write", "envs:reveal", "stats:read", "export:read", "ai:extract"]Error responses
Section titled “Error responses”When a key lacks the required scope, the API returns:
HTTP/1.1 403 ForbiddenContent-Type: application/json
{ "error": "Forbidden"}A missing or invalid key returns:
HTTP/1.1 401 UnauthorizedContent-Type: application/json
{ "error": "Unauthorized"}