Reference
API key scopes
Group together the scopes your key actually needs. Authio enforces them at the Management API tier.
When you create an API key in the dashboard you pick scope groups from a checkbox list. Each group expands to one or more concrete scopes (the strings below). The Management API rejects calls whose token doesn’t include the corresponding scope.
For fully-trusted backends pick *. For a frontend billing page pick billing:read only. The Authio approach is least-privilege by default; any group you don’t check is denied.
| Group | Description | Concrete scopes |
|---|---|---|
| Full access (*) | Everything. Use for fully-trusted backend keys. | * |
| Manage organizations | Create, list, update, and archive organizations. | organizations:read organizations:write |
| Manage memberships | List members, invite, change roles, remove. | memberships:read memberships:write invitations:write |
| Manage users | List/lookup users, update profile fields, deactivate. | users:read users:write |
| Manage webhooks | Create, list, rotate signing secret, replay deliveries. | webhooks:read webhooks:write webhooks:replay |
| Read audit log | List and search audit events. Read-only. | audit:read |
| Manage SCIM directories | Configure SCIM endpoints and bearer tokens. | scim:read scim:write |
| Fine-grained authorization | Read and write FGA tuples and rewrite rules. | fga:check fga:write |
| Read billing | Read plan, usage, invoices for self-service plan UI. | billing:read |