Skip to main content

API keys and scopes

Every API key carries a scopes array that limits which operations and tools the key can invoke. Scopes are enforced server-side on every call: a key with only read cannot send SMS or place calls even if it tries.

Scopes

ScopeAllows
readRead-only tools: list calls, list SMS, search leads, get account, list and get receptionists.
send_smsSend SMS. Opt-outs are enforced server-side on every send; consent gating beyond that (TCPA prior-relationship rules) is your responsibility.
make_callStart outbound voice calls.
bookCreate or update bookings.
write_crmUpdate CRM notes and contact records.
adminAdmin-scoped operations (for example, webhook subscription CRUD). Never granted to MCP keys.
*Wildcard (legacy keys). Equivalent to every concrete scope.

Defaults

Keys minted from the dashboard currently carry the scopes ["read", "send_sms", "book"]. Legacy keys (minted before scopes existed) carry ["*"].

Scope selection is not self-serve yet

Per-key scope selection is not yet available in the dashboard, so treat any key you hand to an agent as able to send SMS and book. If you need a restricted key (for example, read-only), contact support@autorev.ai.

Keys cannot mint other keys

There is no API endpoint for creating API keys. Key creation and revocation happen only in the dashboard at Settings > Integrations, behind your dashboard login. A leaked API key therefore cannot be used to mint new keys.

Scope errors

If a key lacks the scope an operation requires, the API returns 403 with a clear error body. Ask the account owner for a key with the needed scope; see Errors for the response format.