Scope catalog
Preview This is the complete catalog of
API scopes. Each scope follows the grammar
product.resource:action and gates a specific set of endpoints. Use it as the
authoritative list when minting a key, building a preset, or
declaring a forge_api_key in Terraform.
how to read this table
Section titled “how to read this table”writeimpliesread,adminimplieswrite. Grantingsites:writealso grantssites:read; you never list both.- Runtime gate is the capability a site
must advertise for the scope to do anything. A
wp.*scope on astaticsite is inert — the capability isn’t there, so the intersection is empty. “always” means the scope applies to every runtime. - Effective permission is a triple intersection:
perms(your role) ∩ scopes(key) ∩ resource-constraint(key). A scope can never lift a key above the role that minted it. See the security model.
platform & account
Section titled “platform & account”| Scope | Action(s) | Gates | Runtime gate |
|---|---|---|---|
account:read / :write / :admin |
read / write / admin | GET/PATCH /account; billing, plan, close |
always |
teams:read / :write / :admin |
read / write / admin | teams, members, projects, invites; transfer, delete | always |
| audit:read | read | GET /teams/{id}/audit |
always |
sites & lifecycle
Section titled “sites & lifecycle”| Scope | Action(s) | Gates | Runtime gate |
|---|---|---|---|
sites:read / :write / :admin |
read / write / admin | get, read config; create, patch config, restart; delete, transfer, clone | always |
deployments:read / :write |
read / write | build & deploy status; build, promote, rollback | always |
environments:read / :write |
read / write | env list/get; create, delete, refresh, reset, suspend, resume, renew | env-capable |
domains:read / :write |
read / write | domain & route reads; domain + DNS-record CRUD | always |
tls:read / :write |
read / write | cert status; provision, renew, upload | always |
backups:read / :write |
read / write | snapshot list/status; backup, restore, download | always |
| runtime:write | write | switch PHP / perf / WAF tier after create | always |
observability
Section titled “observability”| Scope | Action(s) | Gates | Runtime gate |
|---|---|---|---|
| observability:read | read | insights summary, timeseries, pages, logs, traces, resources, requests; account-scoped /logs, /traces, /metrics, /usage/storage |
always |
security:read / :write |
read / write | blocks + malware overview & detections; trigger scan, block/unblock IP | always |
| Scope | Action(s) | Gates | Runtime gate |
|---|---|---|---|
| jobs:read | read | /jobs list/get + SSE stream |
always |
WordPress product layer (wp.*)
Section titled “WordPress product layer (wp.*)”These are the scopes for the dynamic application layer — the depth a generic PaaS won’t touch. They’re only meaningful where the runtime advertises the matching capability.
| Scope | Action(s) | Gates | Runtime gate |
|---|---|---|---|
wp.plugins:read / :write |
read / write | plugin inventory; install, activate, update, delete, per-env bulk | runtime=wordpress |
wp.themes:read / :write |
read / write | theme inventory; manage | runtime=wordpress |
wp.content:read / :write |
read / write | posts, pages, media; clone-content | runtime=wordpress |
wp.users:read / :write |
read / write | WordPress user CRUD | runtime=wordpress |
| wp.cli:exec | write | scoped WP-CLI — no raw shell | runtime=wordpress |
cron:read / :write |
read / write | scheduled tasks | runtime supports cron |
database
Section titled “database”| Scope | Action(s) | Gates | Runtime gate |
|---|---|---|---|
db:read / :write |
read / write | metrics, schema, read queries; migrations, write, clone | runtime has a managed DB |
dangerous & isolated
Section titled “dangerous & isolated”| Scope | Action(s) | Gates | Runtime gate |
|---|---|---|---|
credentials:read / :write |
read / write | reveal SFTP/SSH/DB creds + magic-link SSO; reset, rotate, webhook/rotate |
always |
| exec:raw | write | raw arbitrary shell — keys-to-the-kingdom | always |
| keys:write | write | mint / rotate other API keys | always |
next steps
Section titled “next steps”ScopesThe scope grammar, wildcards, and how write implies read.
PresetsCurated scope bundles — Read-only, Deploy bot, CI/Terraform, and more.
Security modelThe triple-intersection down-scoping rule and the forced client role.
Creating API keysMint a key with exactly the scopes from this catalog.