Version: Next (unreleased)

Scopes & Permissions

Every API key carries a list of scopes that define what it can do.

Scope format:

integrations.{resource}.{action}

{resource} — orders, inventory, locations, products
{action} — read, write, delete, or *

HTTP → action mapping

HTTP method	Action
`GET`, `HEAD`, `OPTIONS`	`read`
`POST`, `PUT`, `PATCH`	`write`
`DELETE`	`delete`

Wildcards

A broader scope implicitly grants every narrower one:

integrations.*                      → all integration actions
└── integrations.orders.*           → all order actions
    ├── integrations.orders.read
    ├── integrations.orders.write
    └── integrations.orders.delete

Common setups

Full access

["integrations.*"]

Orders and inventory only

["integrations.orders.*", "integrations.inventory.*"]

Read-only across resources

[
  "integrations.orders.read",
  "integrations.inventory.read",
  "integrations.locations.read",
  "integrations.products.read"
]

Push-only (write, no read)

["integrations.orders.write", "integrations.inventory.write"]

When a scope is missing

HTTP 403 Forbidden

{"detail": "You do not have permission to perform this action."}

Add the missing scope to the key from the dashboard — see Managing API keys.

HTTP → action mapping​

Wildcards​

Common setups​

When a scope is missing​

HTTP → action mapping

Wildcards

Common setups

When a scope is missing