AIARCOASC Docs

Scopes

The full taxonomy of API-key scopes. Least privilege by default.

What it is

Every API call requires a key that holds the right scope. Scopes are always negative (a missing scope → 403 forbidden_scope); never positive (no scope grants more than it says). Default keys come with read scopes only; you must explicitly grant write scopes.

Quickstart

asc keys create deploy --scopes pods:write,storage:write,functions:write
client.keys.create(name='deploy', scopes=['pods:write','storage:write'])
await client.keys.create({ name: 'deploy', scopes: ['pods:write','storage:write'] });

Security

All access is authenticated and scoped. See Auth & scopes and Network controls.

Scope table

ScopeGrantsDefault in
audit:readRead audit eventsadmin keys
billing:readRead usage / invoices / budgetsall keys (default)
functions:readRead & list functionsall keys (default)
functions:writeCreate/update/delete/invoke functionsdeveloper & admin keys
pods:readRead & list podsall keys (default)
pods:writeRun/stop/delete podsdeveloper & admin keys
storage:readRead & list buckets/objectsall keys (default)
storage:writeCreate/upload/delete buckets/objectsdeveloper & admin keys
secrets:readList secret referencesdeveloper & admin keys
secrets:writeCreate/update/delete secretsadmin keys
gateway:readRead AI gateway routes & logsall keys (default)
gateway:writeManage AI gateway routesdeveloper & admin keys
agents:writeManage agent workspacesdeveloper & admin keys
sandbox:writeRun sandboxesdeveloper & admin keys
edge:readRead edge config + analyticsall keys (default)
edge:writeManage edge zones, rules, deploymentsdeveloper & admin keys
edge.waf:writeManage WAF rulesadmin keys
shield:readRead shield config + eventsall keys (default)
shield:writeManage shield primitivesadmin keys
shield.waf:writeManage Shield WAF rulesadmin keys
mcp:invokeCall MCP tools (per-tool scope check still applies)all keys (default)
observe:readRead metrics, logs, tracesall keys (default)
keys:writeCreate/rotate/revoke API keysadmin keys
projects:writeCreate/update projectsowner only
admin:*Tenant-wide admin (don't issue lightly)owner only