Personal API Keys
Access levels and permissions for personal API keys in the REST API.
Personal API keys act on behalf of a user. Compared to service accounts, access is simplified and intended for CLI usage, scripts, and developer workflows.
Access levels
- Full access: Full access to all resources.
- Read-only: Read access to all resources.
- Secrets write: Full access to secrets with read-only access to context resources.
Resource permission matrix
Full access
| Resource | GET | POST | PATCH | DELETE |
|---|---|---|---|---|
| Projects | ✅ | ✅ | ✅ | ✅ |
| Environments | ✅ | ✅ | ✅ | ✅ |
| Secrets | ✅ | ✅ | ✅ | ✅ |
| Webhooks | ✅ | ✅ | ✅ | ✅ |
| Integrations | ✅ | ✅ | ✅ | ✅ |
Read-only
| Resource | GET | POST | PATCH | DELETE |
|---|---|---|---|---|
| Projects | ✅ | ❌ | ❌ | ❌ |
| Environments | ✅ | ❌ | ❌ | ❌ |
| Secrets | ✅ | ❌ | ❌ | ❌ |
| Webhooks | ✅ | ❌ | ❌ | ❌ |
| Integrations | ✅ | ❌ | ❌ | ❌ |
Secrets write
| Resource | GET | POST | PATCH | DELETE |
|---|---|---|---|---|
| Projects | ✅ | ❌ | ❌ | ❌ |
| Environments | ✅ | ❌ | ❌ | ❌ |
| Secrets | ✅ | ✅ | ✅ | ✅ |
| Webhooks | ❌ | ❌ | ❌ | ❌ |
| Integrations | ❌ | ❌ | ❌ | ❌ |
Scans
Scans use scans.scan.
Scans are not tied to HTTP methods.
Scans are treated as a read-level capability.
| Access level | scans.scan |
|---|---|
| Full access | ✅ |
| Read-only | ✅ |
| Secrets write | ✅ |
Notes
secrets_writeincludes read access implicitly.- Access is always limited by the user's own permissions.
- Webhooks and integrations are not accessible in restricted modes.
IP allowlist
Each personal API key has its own IP allowlist configuration.