Scopes

API keys carry a scope list. Every endpoint is gated behind one or more scopes, and a 403 with code: insufficient_scope surfaces the missing scope in param.

Vocabulary

• read:projects / write:projects
• read:products / write:products
• read:vendors / write:vendors
• read:estimates / write:estimates
• read:assessments / write:assessments
• read:bids / write:bids
• read:files / write:files
• read:conversations / write:conversations
• read:webhooks / write:webhooks
• admin:org — superuser grant; implies every other scope in the same org. Use sparingly.

Session + OAuth tokens

Human UI sessions and connected-app OAuth tokens bypass scope checks — they're constrained at the consent screen. Scopes are enforced on API keys only.