Skip to main content

API key scopes

Every Defined Networking API key is granted a set of scopes (also called permission scopes). A scope authorizes an API key to perform one specific action against one resource. Each API endpoint requires a particular scope, so a key can only call an endpoint if it has been granted that endpoint's scope.

Scopes are written as resource:action, for example hosts:read or roles:create. When you create an API key in the admin panel, you choose which scopes it should have. A key can hold any combination of scopes, and a few endpoints require more than one (see Multi-scope endpoints below).

We recommend granting each key the fewest scopes it needs. For example, a monitoring script that only reads audit logs should have audit-logs:list and nothing else. If a key is ever leaked, limited scopes limit the damage — and you should still rotate the key immediately.

Each operation in the API reference lists the exact scope it requires under Token scope required. The tables below summarize every scope an API key can have.

Hosts

Scopes for managing hosts, including lighthouses and relays.

ScopeGrants
hosts:createCreate hosts, lighthouses, and relays.
hosts:readView the details of an individual host.
hosts:listList the hosts in your organization.
hosts:updateEdit a host
hosts:deleteDelete a host.
hosts:enrollCreate enrollment codes so a host can be enrolled into the network.
hosts:blockBlock a host, cutting off its access to the network.
hosts:unblockUnblock a previously blocked host.
hosts:debugSend debug commands to a host.

Roles

Scopes for managing roles and their firewall rules.

ScopeGrants
roles:createCreate a role.
roles:readView the details of an individual role.
roles:listList the roles in your organization.
roles:updateEdit a role and its firewall rules.
roles:deleteDelete a role.

Routes

Scopes for managing routes to networks beyond your overlay hosts.

ScopeGrants
routes:createCreate a route.
routes:readView the details of an individual route.
routes:listList the routes in your organization.
routes:updateEdit a route.
routes:deleteDelete a route.

Networks

Scopes for managing networks.

ScopeGrants
networks:createCreate a network.
networks:readView the details of an individual network.
networks:listList the networks in your organization.
networks:updateEdit a network, including adding CIDRs to it.
networks:deleteDelete a network.

Tags

Scopes for managing tags.

ScopeGrants
tags:createCreate a tag.
tags:readView the details of an individual tag.
tags:listList the tags in your organization.
tags:updateEdit a tag.
tags:deleteDelete a tag.

Audit logs

ScopeGrants
audit-logs:listList audit log entries.

Multi-scope endpoints

Some endpoints require a key to hold more than one scope. If your key is missing any of the required scopes, the request is rejected.

  • Create host & enrollment code — requires both hosts:create and hosts:enroll.