Control what each API key can access
Scopes limit what an API key can do. Grant only the minimum scopes needed for each integration to reduce security risk.
| Scope | Grants Access To |
|---|---|
| candidates:read | Fetch candidate profiles and assessment data |
| candidates:write | Update candidate information |
| assessments:read | View assessment templates and results |
| assessments:write | Create and modify assessments |
| sessions:read | Fetch session data and scores |
| sessions:write | Trigger assessments, invalidate sessions |
| analytics:read | Access aggregate analytics and reports |
| webhooks:read | List webhooks and delivery logs |
| webhooks:write | Create and update webhooks |
Write scopes include read access. For example, candidates:write grants both read and write access to candidate data. You don't need to grant both scopes.
Use separate API keys for different integrations. If one key is compromised, you can revoke it without breaking other integrations.
Was this article helpful?