Permissions & scopes
Scopes a key can carry.
A key carries a set of scopes. Each endpoint requires a specific scope; a call without it returns 403 forbidden with the missing scope named.
| Scope | Friendly name | Endpoints it unlocks |
|---|---|---|
ai_explain | Interpret & explain | interpret, conversations, messages, embed tokens |
analysis_tab | Run analyses | start & poll analyses |
project_upload | Upload projects | ingest |
hmi_view | View HMI | carried by read-only embed tokens |
Project scope
A key may optionally be restricted to specific projects. When set, any project-targeted call to a project outside the scope returns 403 project_scope_forbidden.
A project-scoped key may add a version to an in-scope project, but can never create a new project identity via ingest. Creating new identities requires an unscoped key.