Scopes and permissions
The permission scopes a key can hold and what each one allows.
Updated June 11, 2026
Every API key is granted a set of scopes in the form resource:action. A request that needs a scope the key does not hold returns 403 Forbidden.
Available scopes
đź’ˇ
| Scope | Allows |
|---|---|
conversations:read |
List and read conversations |
conversations:write |
Create conversations, resolve, reopen |
messages:read |
List a conversation’s messages |
messages:write |
Send messages |
contacts:read |
List and read contacts |
contacts:write |
Create and update contacts |
helpdesk:read |
Read help-center articles and categories |
helpdesk:write |
Create and edit articles and categories |
changelog:read |
Read changelog entries |
changelog:write |
Create and edit changelog entries |
roadmap:read |
Read roadmap items |
roadmap:write |
Create and edit roadmap items |
webhooks:read |
List webhook subscriptions |
webhooks:write |
Create, update, and delete webhooks |
uploads:write |
Upload images to attach to messages or embed in content |
How to choose
Grant the least a key needs. For example, a read-only reporting job should get only the :read scopes; a tool that just submits feature requests needs only roadmap:write.
You can see and change a key’s scopes when you create it under App Settings → API Keys. To change scopes on an existing key, revoke it and mint a new one.
Was this article helpful?
Thanks for your feedback!