Skip to main content
Every Public API key carries a list of operation scopes. Each endpoint requires one or more scopes; calls without the right scope return 403 Forbidden with { "error": { "code": "FORBIDDEN", "message": "Operation not allowed" } }.

Scope naming

Scopes use the form <resource>:<verb>. The available scopes today:
ScopeWhat it allows
conversation:readGET /v1/conversation/{id} and GET /v1/conversation/{id}/context
conversation:writePATCH /v1/conversation/{id}
client:readAll GET endpoints under /v1/client
client:writeAll POST and PATCH endpoints under /v1/client
user:readAll GET endpoints under /v1/user
site:readAll GET endpoints under /v1/site
site:writeAll POST and PATCH endpoints under /v1/site
Each endpoint’s required scope is also shown in the API Reference tab in the “Required permissions” callout under the endpoint summary.

Choosing scopes

When you create a key in Settings → Integrations → Developer (see Authentication), select the minimum set of scopes your integration needs. Granting a parent resource also grants its children (for example, client:read includes clientEmail:read).

Updating scopes on an existing key

Open Settings → Integrations → Developer, choose the key, and select Edit scopes. Saving updates the key’s allowed operations without changing the secret value.