Skip to content

Scope presets

Preview A preset is a named bundle of scopes for a common job — a deploy bot, a CI runner, an observability integration. Pick one when you create a key and you get a sensible, least-privilege grant without hand-checking a dozen scopes.

A preset is purely a convenience at mint time. The moment you create the key, the preset expands into an explicit list of scopes and is stored that way — the key records the literal scopes, not a reference to a preset name. Two things follow:

  • What a preset means today is what your key keeps. If the platform later adds a scope to the Deploy bot preset, your existing keys don’t silently gain it — they hold the scopes they were minted with. Re-mint to pick up a changed preset.
  • You can always inspect the real grant. A key’s stored scopes are the source of truth; the preset name was just the shortcut you typed.
Preset Scopes it expands to For
Read-only every *:read your role allows (e.g. sites:read, environments:read, deployments:read, domains:read, observability:read, jobs:read) dashboards, audits, read-only integrations
Deploy bot sites:read deployments:write environments:write domains:read jobs:read observability:read push-to-deploy CI that builds, promotes, and gates on observability
CI/Terraform read-only plus write lifecycle (sites/environments/deployments/domains/backups), no credentials:* / exec:raw / keys:write Terraform plans/applies and full CI pipelines
Observability integration observability:read security:read jobs:read sites:read Grafana, Datadog, or a status page pulling metrics, logs, and traces
WP automation wp.plugins:write wp.themes:write wp.content:write cron:write plus sites:read environments:read jobs:read maintenance bots managing the WordPress application layer (runtime-gated)

Presets never include the dangerous scopes

Section titled “Presets never include the dangerous scopes”

This is the line that makes presets safe to reach for: the three isolated scopes are never in any preset.

Scope Why it’s excluded
credentials:read / :write Revealing SFTP/SSH/DB secrets and magic-link SSO is a deliberate, audited act.
exec:raw Raw arbitrary shell is the keys to the kingdom.
keys:write Minting other keys is a privileged, single-grant action.

If a key genuinely needs one of these, you add it explicitly, one at a time, on top of (or instead of) a preset — it never rides in as a side effect of choosing a convenient bundle. The same exclusion holds for wildcards; see scopes for the isolation rule.