Scope presets
Preview A preset is a named bundle of scopes for a common job — a deploy bot, a CI runner, an observability integration. Pick one when you create a key and you get a sensible, least-privilege grant without hand-checking a dozen scopes.
Presets are sugar, stored expanded
Section titled “Presets are sugar, stored expanded”A preset is purely a convenience at mint time. The moment you create the key, the preset expands into an explicit list of scopes and is stored that way — the key records the literal scopes, not a reference to a preset name. Two things follow:
- What a preset means today is what your key keeps. If the platform later adds a scope to the Deploy bot preset, your existing keys don’t silently gain it — they hold the scopes they were minted with. Re-mint to pick up a changed preset.
- You can always inspect the real grant. A key’s stored
scopesare the source of truth; the preset name was just the shortcut you typed.
The presets
Section titled “The presets”| Preset | Scopes it expands to | For |
|---|---|---|
| Read-only | every *:read your role allows (e.g. sites:read, environments:read, deployments:read, domains:read, observability:read, jobs:read) |
dashboards, audits, read-only integrations |
| Deploy bot | sites:read deployments:write environments:write domains:read jobs:read observability:read |
push-to-deploy CI that builds, promotes, and gates on observability |
| CI/Terraform | read-only plus write lifecycle (sites/environments/deployments/domains/backups), no credentials:* / exec:raw / keys:write |
Terraform plans/applies and full CI pipelines |
| Observability integration | observability:read security:read jobs:read sites:read |
Grafana, Datadog, or a status page pulling metrics, logs, and traces |
| WP automation | wp.plugins:write wp.themes:write wp.content:write cron:write plus sites:read environments:read jobs:read |
maintenance bots managing the WordPress application layer (runtime-gated) |
Presets never include the dangerous scopes
Section titled “Presets never include the dangerous scopes”This is the line that makes presets safe to reach for: the three isolated scopes are never in any preset.
| Scope | Why it’s excluded |
|---|---|
credentials:read / :write |
Revealing SFTP/SSH/DB secrets and magic-link SSO is a deliberate, audited act. |
exec:raw |
Raw arbitrary shell is the keys to the kingdom. |
keys:write |
Minting other keys is a privileged, single-grant action. |
If a key genuinely needs one of these, you add it explicitly, one at a time, on top of (or instead of) a preset — it never rides in as a side effect of choosing a convenient bundle. The same exclusion holds for wildcards; see scopes for the isolation rule.