Skip to main content

API Key Scopes

Scopes define what actions an API key can perform. Each scope grants access to specific endpoints and operations.

Available Scopes

ScopeDescription
campaigns:writeCreate, update, and delete campaigns
sender_accounts:writeAdd and remove sender accounts
*Full access to all API endpoints
Scope names follow the pattern resource:permission. The wildcard * grants all current and future permissions.

Scope Requirements

Each endpoint requires specific scopes:
EndpointMethodRequired Scope
/campaignsPOSTcampaigns:write
/campaigns/{id}PUTcampaigns:write
/campaigns/{id}DELETEcampaigns:write
/sender-accountsPOSTsender_accounts:write
/sender-accounts/{id}DELETEsender_accounts:write

Scope Checking

When you make an API request, ColdSend verifies that your key has the required scope: 
# Request with insufficient scope
headers = {"X-API-Key": "cs_live_key_with_sender_accounts_write_only"}

# This will succeed
requests.post(f"{base_url}/sender-accounts", headers=headers, json={...})

# This will fail with 403
requests.post(f"{base_url}/campaigns", headers=headers, json={...})

Error Response

When a key lacks the required scope: 
{
  "detail": "Missing API key scopes: campaigns:write"
}
Status: 403 Forbidden

Wildcard Scope

The * scope grants full access to all API endpoints: 
{
  "name": "Full Access Key",
  "scopes": ["*"]
}
Use the wildcard scope for:
  • Administrative integrations
  • Development and testing
  • Internal tools that need broad access
The wildcard scope grants complete API access. Only use it when necessary and protect these keys accordingly.

Best Practices

Principle of Least Privilege

Grant only the minimum scopes required: 
# For a campaign automation tool
scopes = ["campaigns:write"]

# For a sender account provisioning tool
scopes = ["sender_accounts:write"]

# For a full integration
scopes = ["campaigns:write", "sender_accounts:write"]

Separate Keys by Function

Create different API keys for different purposes:
Key NameScopesUse Case
campaign-automationcampaigns:writeCreating and managing campaigns
inbox-provisioningsender_accounts:writeOnboarding new sender accounts
analytics-readonlyNone (future)Read-only analytics access

Audit Scope Usage

Regularly review which scopes your keys actually use:
  1. Check the “Last Used” timestamp for each key
  2. Review audit logs for scope usage patterns
  3. Remove unused scopes or revoke unused keys

Future Scopes

Additional scopes may be added for new features:
  • campaigns:read - View campaign details and analytics
  • sender_accounts:read - View sender account configurations
  • leads:read - Access lead data
  • leads:write - Manage leads
Keys with the * scope will automatically have access to new endpoints as they become available.