Scopes
The full taxonomy of API-key scopes. Least privilege by default.
What it is
Every API call requires a key that holds the right scope. Scopes are always negative (a missing scope → 403 forbidden_scope); never positive (no scope grants more than it says). Default keys come with read scopes only; you must explicitly grant write scopes.
Quickstart
asc keys create deploy --scopes pods:write,storage:write,functions:writeclient.keys.create(name='deploy', scopes=['pods:write','storage:write'])await client.keys.create({ name: 'deploy', scopes: ['pods:write','storage:write'] });Security
All access is authenticated and scoped. See Auth & scopes and Network controls.
Scope table
| Scope | Grants | Default in |
|---|---|---|
audit:read | Read audit events | admin keys |
billing:read | Read usage / invoices / budgets | all keys (default) |
functions:read | Read & list functions | all keys (default) |
functions:write | Create/update/delete/invoke functions | developer & admin keys |
pods:read | Read & list pods | all keys (default) |
pods:write | Run/stop/delete pods | developer & admin keys |
storage:read | Read & list buckets/objects | all keys (default) |
storage:write | Create/upload/delete buckets/objects | developer & admin keys |
secrets:read | List secret references | developer & admin keys |
secrets:write | Create/update/delete secrets | admin keys |
gateway:read | Read AI gateway routes & logs | all keys (default) |
gateway:write | Manage AI gateway routes | developer & admin keys |
agents:write | Manage agent workspaces | developer & admin keys |
sandbox:write | Run sandboxes | developer & admin keys |
edge:read | Read edge config + analytics | all keys (default) |
edge:write | Manage edge zones, rules, deployments | developer & admin keys |
edge.waf:write | Manage WAF rules | admin keys |
shield:read | Read shield config + events | all keys (default) |
shield:write | Manage shield primitives | admin keys |
shield.waf:write | Manage Shield WAF rules | admin keys |
mcp:invoke | Call MCP tools (per-tool scope check still applies) | all keys (default) |
observe:read | Read metrics, logs, traces | all keys (default) |
keys:write | Create/rotate/revoke API keys | admin keys |
projects:write | Create/update projects | owner only |
admin:* | Tenant-wide admin (don't issue lightly) | owner only |