For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dashboard
User GuideDeveloper GuidesAPI Reference
User GuideDeveloper GuidesAPI Reference
  • Getting Started
    • What is Runtype?
    • Creating your account
    • Platform Keys vs. BYOK
    • Understanding the Runtype UI
    • Quickstart: Social Media Post Generator
    • Quickstart: From Agent to Chat Widget
  • Dashboard
    • What is the Dashboard?
    • Daily Executions
  • Playground
    • What is the Playground?
  • Products & Surfaces
    • What are Products?
    • What are Surfaces?
    • Creating a Product
    • Setting up a Chat Surface
    • Setting up an API Surface
    • Setting up an MCP Surface
    • Setting up an A2A Surface
    • Setting up a Slack Surface
    • MCP authentication
    • Authenticating with product API keys
    • Embedding the chat widget (script tag)
    • Embedding the chat widget (React)
    • Surface orchestration modes
    • Product views
    • Adding Capabilities to a product
    • Connecting external agents
    • How A2A works
    • Connecting to Cursor / VS Code
    • Connecting to Claude Desktop
    • Scoping API keys to capabilities
    • Auto-generated OpenAPI spec
    • Calling your API endpoints
    • Client tokens and domain restrictions
    • AI-powered theme generation
    • Widget theming and customization
    • Product versioning and status
  • Flows
    • What are Flows?
    • Creating and Editing Flows
    • Flow step types overview
    • Agent and Flow Templates
    • Using prompt steps
    • Using transform-data steps
    • Using conditional steps
    • Using fetch-url and api-call steps
    • Using record steps (upsert/retrieve)
    • Flow variables and templates
    • Flow versioning and publishing
    • Running flows in batch
    • Handling batch failures
    • Debugging flows
  • Agents
    • What are Agents?
    • Creating and configuring Agents
    • Agent tools
  • Records
    • What are Records?
    • Creating and managing records
    • Using records in flows
    • Filtering and searching records
  • Tools
    • What are Tools?
    • Built-in Tools
    • Creating custom tools
    • Creating external tools
    • Runtime tools
  • Evals
    • What are Evals?
    • Running an Eval
    • Interpreting eval results
  • Schedules
    • What are Schedules?
    • Automating batch processing
  • Logs
    • What are Logs?
    • Working with Logs
  • Integrations
    • Connecting AI model providers
    • Slack integration
    • Google Workspace integration
    • GitHub integration
    • Linear integration
    • Weaviate (vector search)
    • Firecrawl (web scraping)
    • Exa (web search)
  • Settings
    • What's in Settings?
    • Available AI models
    • What are Organizations?
    • Managing AI models
    • Managing API keys
    • Billing and plans
    • Usage data
    • Team members and permissions
    • Appearance and preferences
    • Integrations (PostHog, Weaviate, Daytona)
  • Troubleshooting & FAQ
    • FAQ
    • Rate Limits and Usage
    • Managing Runtype with Claude
    • Flow execution failures
    • Common errors and solutions
    • Authentication issues
Dashboard
LogoLogo
On this page
  • Why scope API keys
  • Creating a scoped key
  • Access denied errors
  • Updating scope
  • Use cases
  • Customer-specific keys
  • Integration separation
  • Third-party developers
  • Unscoped keys
  • Next steps
Products & Surfaces

Scoping API keys to capabilities

Was this page helpful?
Previous

Auto-generated OpenAPI spec

Next
Built with

Limit API keys to specific capabilities for better security and access control. Scoped keys can only invoke the capabilities you explicitly allow.

Why scope API keys

Scoping provides security and organizational benefits:

  • Least privilege — Give third parties access to only what they need
  • Reduce attack surface — Compromised keys can’t access all capabilities
  • Usage tracking — See which keys are calling which capabilities
  • Billing isolation — Track costs per integration or customer

Creating a scoped key

  1. Open your API surface
  2. Find API Keys
  3. Click Create API Key
  4. Enter a name (e.g., “Mobile app - FAQ only”)
  5. Under Scope, select Specific capabilities
  6. Check the capabilities this key should access
  7. Click Create
  8. Copy the key immediately

Access denied errors

When a key tries to access a capability it’s not scoped to:

1{
2  "error": "API key does not have permission to access this capability",
3  "capabilityId": "cap_xxxxxx"
4}

HTTP status: 403 Forbidden

Updating scope

Modify a key’s scope after creation:

  1. Find the key in your API surface settings
  2. Click Edit
  3. Change capability selections
  4. Click Save

Changes take effect immediately. Existing requests with the key will use the new scope.

Use cases

Customer-specific keys

Create a key for each customer, scoped to capabilities relevant to them:

  • Customer A: FAQ + Order lookup capabilities
  • Customer B: FAQ capability only

Integration separation

Isolate different integrations:

  • Mobile app key: All capabilities
  • Public API key: Safe, rate-limited capabilities only
  • Internal tools key: Admin and diagnostic capabilities

Third-party developers

Give partners access to specific features without exposing your entire Product.

Name keys descriptively with their scope (e.g., “Acme Corp - FAQ only” instead of “API Key 3”). This makes management easier as you scale.

Unscoped keys

Keys can also be unscoped, granting access to all capabilities on the Product. This is convenient for trusted integrations but increases risk if the key is compromised.

Use unscoped keys only when necessary and rotate them regularly.

Next steps

  • Authenticating with Product API keys
  • Calling your API endpoints
  • Setting up an API surface