API keys and scopes
Every API key carries a scopes array that limits which operations and tools the key can invoke. Scopes are enforced server-side on every call: a key with only read cannot send SMS or place calls even if it tries.
Scopes
| Scope | Allows |
|---|---|
read | Read-only tools: list calls, list SMS, search leads, get account, list and get receptionists. |
send_sms | Send SMS. Opt-outs are enforced server-side on every send; consent gating beyond that (TCPA prior-relationship rules) is your responsibility. |
make_call | Start outbound voice calls. |
book | Create or update bookings. |
write_crm | Update CRM notes and contact records. |
admin | Admin-scoped operations (for example, webhook subscription CRUD). Never granted to MCP keys. |
* | Wildcard (legacy keys). Equivalent to every concrete scope. |
Defaults
Keys minted from the dashboard currently carry the scopes ["read", "send_sms", "book"]. Legacy keys (minted before scopes existed) carry ["*"].
Scope selection is not self-serve yet
Per-key scope selection is not yet available in the dashboard, so treat any key you hand to an agent as able to send SMS and book. If you need a restricted key (for example, read-only), contact support@autorev.ai.
Keys cannot mint other keys
There is no API endpoint for creating API keys. Key creation and revocation happen only in the dashboard at Settings > Integrations, behind your dashboard login. A leaked API key therefore cannot be used to mint new keys.
Scope errors
If a key lacks the scope an operation requires, the API returns 403 with a clear error body. Ask the account owner for a key with the needed scope; see Errors for the response format.