Skip to content

Scope catalog

Preview This is the complete catalog of API scopes. Each scope follows the grammar product.resource:action and gates a specific set of endpoints. Use it as the authoritative list when minting a key, building a preset, or declaring a forge_api_key in Terraform.

  • write implies read, admin implies write. Granting sites:write also grants sites:read; you never list both.
  • Runtime gate is the capability a site must advertise for the scope to do anything. A wp.* scope on a static site is inert — the capability isn’t there, so the intersection is empty. “always” means the scope applies to every runtime.
  • Effective permission is a triple intersection: perms(your role) ∩ scopes(key) ∩ resource-constraint(key). A scope can never lift a key above the role that minted it. See the security model.
Scope Action(s) Gates Runtime gate
account:read / :write / :admin read / write / admin GET/PATCH /account; billing, plan, close always
teams:read / :write / :admin read / write / admin teams, members, projects, invites; transfer, delete always
audit:read read GET /teams/{id}/audit always
Scope Action(s) Gates Runtime gate
sites:read / :write / :admin read / write / admin get, read config; create, patch config, restart; delete, transfer, clone always
deployments:read / :write read / write build & deploy status; build, promote, rollback always
environments:read / :write read / write env list/get; create, delete, refresh, reset, suspend, resume, renew env-capable
domains:read / :write read / write domain & route reads; domain + DNS-record CRUD always
tls:read / :write read / write cert status; provision, renew, upload always
backups:read / :write read / write snapshot list/status; backup, restore, download always
runtime:write write switch PHP / perf / WAF tier after create always
Scope Action(s) Gates Runtime gate
observability:read read insights summary, timeseries, pages, logs, traces, resources, requests; account-scoped /logs, /traces, /metrics, /usage/storage always
security:read / :write read / write blocks + malware overview & detections; trigger scan, block/unblock IP always
Scope Action(s) Gates Runtime gate
jobs:read read /jobs list/get + SSE stream always

These are the scopes for the dynamic application layer — the depth a generic PaaS won’t touch. They’re only meaningful where the runtime advertises the matching capability.

Scope Action(s) Gates Runtime gate
wp.plugins:read / :write read / write plugin inventory; install, activate, update, delete, per-env bulk runtime=wordpress
wp.themes:read / :write read / write theme inventory; manage runtime=wordpress
wp.content:read / :write read / write posts, pages, media; clone-content runtime=wordpress
wp.users:read / :write read / write WordPress user CRUD runtime=wordpress
wp.cli:exec write scoped WP-CLI — no raw shell runtime=wordpress
cron:read / :write read / write scheduled tasks runtime supports cron
Scope Action(s) Gates Runtime gate
db:read / :write read / write metrics, schema, read queries; migrations, write, clone runtime has a managed DB
Scope Action(s) Gates Runtime gate
credentials:read / :write read / write reveal SFTP/SSH/DB creds + magic-link SSO; reset, rotate, webhook/rotate always
exec:raw write raw arbitrary shell — keys-to-the-kingdom always
keys:write write mint / rotate other API keys always