API Key Scopes
Restrict what each API key can access by assigning specific scopes.
Available Scopes
| Scope | Description |
|---|---|
payments:read | View payment intents and charges |
payments:write | Create, confirm, and cancel payments |
customers:read | View customer records |
customers:write | Create, update, and delete customers |
webhooks:read | View webhook endpoints |
webhooks:write | Create, update, and delete webhooks |
refunds:write | Issue and manage refunds |
reports:read | View and download reports |
products:read | View products and prices |
products:write | Create and manage products and prices |
subscriptions:read | View subscriptions |
subscriptions:write | Create and manage subscriptions |
Best Practices
- Principle of least privilege — Only grant the scopes each key needs
- Separate keys per service — Use different keys for different microservices
- Read-only for analytics — Use
*:readscopes for dashboards and reporting tools