API-key scopes
Scopes use theresource:action format. A request must have the required scope and be inside the key’s allowed environment and resources.
| Scope | Allows |
|---|---|
tenants:read | List and inspect accessible tenants |
tenants:write | Create or update tenants |
tenants:delete | Delete tenants |
knowledge_bases:read | List and inspect accessible knowledge bases |
knowledge_bases:write | Create or update knowledge bases |
knowledge_bases:delete | Delete knowledge bases |
documents:read | List, inspect, and download documents |
documents:write | Upload and reprocess documents |
documents:delete | Delete documents |
agents:read | List agents and inspect run history |
agents:write | Create, configure, deploy, and schedule agents |
agents:run | Run agents and stop active runs |
agents:delete | Archive agents |
query:rag | Create chats, send messages, and run grounded queries |
admin:full | Satisfy every required API-key scope |
If you omit scopes when creating a key, AutoSage grants a default integration set for tenant, knowledge-base, and document read/write operations plus
query:rag. Specify scopes explicitly when you need a narrower key.Scopes and resource lists work together
A key withdocuments:write can upload only to knowledge bases it is allowed to reach. Conversely, listing a knowledge base on a key does not grant permission to write documents unless the key also has documents:write.
Organization roles
Signed-in users receive a role for each organization they belong to. Roles govern dashboard and administrative operations; endpoint-specific checks still apply.| Role | Typical capabilities |
|---|---|
owner | Full organization access, including members, roles, billing, environments, tenants, content, and deletion |
billing_admin | Billing and day-to-day administration of environments, tenants, knowledge bases, and resources |
developer | Create and edit permitted content such as documents and chats without organization-level administration |
viewer | Read-only access to organization resources |
Owners have full access within their organization. Organization membership and role checks apply to user sessions; API keys use scopes and resource access lists instead.
Recommended key split
For most production integrations, keep the number of keys small and give each one a clear responsibility:Provisioning key
A tightly protected backend key with tenant and knowledge-base write scopes. Add
admin:full only when broad scope coverage is truly required; populated resource allowlists still apply.Runtime key
A backend key with
query:rag and read access to only the resources used by the application.Next steps
API keys
Create, inspect, and revoke keys.
Integration best practices
Apply security, tenancy, reliability, and cost guidance together.