API Key Scopes

Scoped API keys let you grant an application only the permissions it actually needs, instead of sharing a key with full account access. You can create multiple keys per organisation, label them per app, revoke them individually, and track when each key was last used.

Key Types

  • Scoped keys (recommended) — start with sk_, carry an explicit list of scopes, and are stored hashed. The full key is shown exactly once at creation.
  • Legacy key — the original single full-access key (64-character hex, no prefix). Existing legacy keys keep working unchanged with full access, but the legacy key is planned for deprecation — migrate integrations to scoped keys.

Both key types authenticate the same way — as a Bearer token (see Authentication). Nothing about the request format changes.

Creating a Scoped Key

  1. Open your Sendiee Dashboard → API & Webhooks
  2. In Scoped API Keys, click Create key
  3. Give it a label and tick only the scopes the app needs
  4. Copy or download the key immediately — it is shown only once and stored hashed on our side

Up to 10 active scoped keys can exist per organisation. Revoking a key takes effect immediately.

Scope Reference

Scope names follow the resource:action pattern and map to the corresponding resource paths under /v2.0. Selecting Full access (*) makes the key equivalent to a legacy key.

ScopeGrants access to
contacts:readList contacts, advanced filtering, look up a contact by phone
contacts:writeCreate or update contacts (including custom fields and lead category)
config:readRead contact field schema, custom attribute definitions, tags, and the full lead-segmentation config (categories, follow-ups, and AI insights)
config:writeCreate, update, and delete custom attributes and tags, and manage lead segmentation (settings, categories, follow-ups, and AI insights)
messages:sendSend template and freeform messages (WhatsApp + WebWhatsApp), cancel scheduled messages
messages:readCheck message status, list scheduled messages
chats:readRead conversation history and chat lists
templates:readList message templates and fetch a single template by id
templates:writeCreate and submit message templates
campaigns:readList campaigns, fetch reports, preview audiences
campaigns:writeCreate and cancel campaigns
assistants:readList AI assistants, configurations, and version history
assistants:writeCreate, update, toggle, restore, and delete AI assistants
tools:readList AI tools, schemas, version history, and run logs
tools:writeCreate, update, toggle, restore, and delete AI tools
catalogs:readList catalogs, products, collections, and sync status
catalogs:writeManage catalogs, products, collections, sources, channels, and syncs
channels:readCheck channel connection status (WhatsApp, Instagram, Messenger)
insights:readRead daily summaries and lead-pipeline snapshots
billing:readRead plan, subscriptions, payments, and wallet balance
integrations:shopifyAll Shopify data and order endpoints (REST + GraphQL lanes)
integrations:zohoAll Zoho CRM, Inventory, and Desk endpoints

Using a Scoped Key

A scoped key is used exactly like any other key. With a key holding contacts:write + config:read:

# Allowed: contacts:write
curl -X POST https://api.sendiee.com/v2.0/contacts \
  -H "Authorization: Bearer sk_YOUR_SCOPED_KEY" \
  -H "Content-Type: application/json" \
  -d '{"phone": "+15551234567", "contactName": "Ada Lovelace"}'

# Allowed: config:read
curl -X GET https://api.sendiee.com/v2.0/leads/categories \
  -H "Authorization: Bearer sk_YOUR_SCOPED_KEY"

# Denied: requires messages:send -> 403 INSUFFICIENT_SCOPE
curl -X POST https://api.sendiee.com/v2.0/whatsapp/send \
  -H "Authorization: Bearer sk_YOUR_SCOPED_KEY" \
  -H "Content-Type: application/json" \
  -d '{"brandNumber": "15550001111", "toPhoneNumber": "+15551234567", "templateName": "hello"}'

The INSUFFICIENT_SCOPE Error

When a scoped key calls an endpoint outside its scopes, the API responds with 403 and names the missing scope so you can fix the key instead of guessing:

{
  "error": true,
  "code": "INSUFFICIENT_SCOPE",
  "required_scope": "messages:send",
  "message": "This API key does not have the required scope 'messages:send'."
}

Scoped keys are default-deny: endpoints not covered by any granted scope are rejected. Legacy and full-access keys are never affected by scope checks.

Security Model

  • Hashed at rest — scoped keys are stored as SHA-256 hashes; Sendiee cannot show you the key again after creation
  • Instant revocation — revoked keys fail with 401 INVALID_API_KEY on the next request
  • Last-used tracking — the dashboard shows when each key last made a request, so stale keys are easy to spot and revoke
  • Per-key rate limiting — each key gets its own counters at your plan limits, so one runaway integration cannot starve the others (see Rate Limits)
  • Per-key request logs— the dashboard's Logs tab can filter API requests by key