API keys and scopes

Last updated: July 3, 2026

API keys let you (or your integrations) call the Scenario API without logging in as a user. Every key is issued with a set of scopes, which control exactly what that key is allowed to do. This article explains what scopes are, the two kinds of API keys, how to configure scopes in the webapp, and what happens if a key tries to do something it isn't scoped for.

API keys are available on the Starter plan and above.


Who can manage API keys

Creating, editing, or deleting API keys requires being a team admin or a project owner. Other team members with API access can view that a key exists but will need to ask an admin or owner to make changes.


Two kinds of API keys

Scenario has two independent kinds of keys, each with its own set of scopes. A key is one or the other, never both.

- Project keys control access to content inside a specific project: assets, models, workflows, and so on.

- Team keys control access to team-level administration: team info, members, usage, and IP filters.

Because they cover different things, project scopes (like assets.write) and team scopes (like team.read) never mix on the same key.


Where to configure scopes

1. Go to Team settings → API Keys.

2. Click Create API key.

3. Give the key a name, and choose its type: Project or Team (non-admins can only create Project keys).

4. If it's a Project key, pick which project it applies to.

5. Set the key's scopes (see below for each type).

6. Optionally set a usage limit: a compute unit (CU) cap for the key, or leave it unlimited. This is a spend cap, not a permission, and is independent from scopes.

7. Click Create. Your key's secret is shown once, immediately after creation. Copy it or download the CSV right away. Scenario never stores the secret in a retrievable form, so if you lose it, you'll need to delete the key and create a new one.

You can come back and edit a key's scopes at any time after creation by expanding it in the API Keys list and saving new values. Only the secret itself is create-once; scopes are not locked in.


Project key scopes

When creating or editing a Project key, choose a role:

image.png

Role

What it grants

Admin

Every scope, including usage reporting.

Editor (default)

Every scope needed to create, run, and manage content: assets, models, workflows, and the assistant. Does not include usage reporting.

Reader

Read-only access to everything except usage reporting. Read-only keys can also perform a small set of safe actions like bulk downloads and search.

Custom

Pick access per resource, described below.

Choosing Custom shows a matrix where you set an access level for each resource:

Resource

Access levels

What it covers

Assets

No access / Read / Write / Delete

Viewing, downloading, uploading, tagging, and deleting assets

Models

No access / Read / Run / Write / Delete

Viewing models and jobs, running generations/inference/training, creating or updating models, deleting models

Workflows

No access / Read / Run / Write / Delete

Viewing, running, creating/updating, and deleting workflows

Projects

No access / Read

Reading project information (project settings, members, and key management are always admin-only, regardless of scopes)

Assistant

No access / Read / Write

Viewing and creating/editing assistant threads

Usage

No access / Read

Reading usage and consumption data. Not included in Editor or Reader by default; add it explicitly if a key needs it

Access levels are cumulative for a resource: Write includes Read, Delete includes Write, and so on.

Team key scopes

Team keys don't have preset roles. Instead, you turn on the individual scopes you need:

image.png

Scope

What it grants

Read team (team.read)

Read team info, limits, and subscription details

Manage members (team.members.manage)

Manage team members, their project access, and invitations

Read usage (team.usage.read)

Read usage across every project in the team

Manage IP filters (team.ip-filters.manage)

Manage the team's IP allowlist

The default for a new team key is team.read and team.usage.read.


What happens if a key is used outside its scopes

Every API request made with a key is checked against that key's scopes. If the endpoint you're calling isn't covered by any scope the key holds, the request is rejected with a 403 Forbidden response. If you're integrating against the API and hitting unexpected 403s, check the key's scopes first, most often it just needs an extra resource or access level enabled.


Good practices

  • Give each integration its own key, scoped to only what it needs, rather than sharing one Admin key everywhere.

  • Set a usage limit on keys used by third-party tools or scripts you don't fully control.

  • Rotate keys periodically, and delete any key you're no longer using. Deleting a key is immediate and can't be undone.

  • Never commit a key's secret to a repository or store it in plaintext.