Developer API & integrations · Getting started

Create API keys and choose their scopes

Create a key from Integrations → API, pick its permissions with a preset or custom scopes, and copy it once — only a secure hash is stored. Edit scopes or revoke instantly at any time.

How keys and scopes work

API keys are created by a platform admin from the admin dashboard. Each key is locked to your platform only and begins with the prefix ac_. Every key carries a list of scopes — permission groups like "Read videos", "Manage collections", or "Read analytics" — and can call a tool only if it holds the matching scope; otherwise the request is rejected with a 403 error.

There are more than 35 scopes, and reads are always separate from writes, so you can hand out a key that can look at everything relevant but change nothing. A new key has no access at all until you grant something — there's no wildcard to pick by accident.

Risk labels and presets

Each scope shows a risk badge in the creation screen. Low covers reads and safe generation; Medium covers ordinary edits like video metadata and collections; High covers trust-sensitive actions such as managing members, granting free access, managing subscriptions (which acts on your connected Stripe account), and emailing members. You can expand any scope card to see the exact tools it unlocks.

To move faster, pick a preset: Read-only (read videos, collections, and members), Content agent (read and write videos and collections, plus content and image generation), or Full access (everything — only for clients you completely control). Choose Custom to hand-pick.

Create a key

When you create a key, the full key is displayed exactly once — only a secure hash is stored, so if you lose it you'll need a new one. Copy it into a password manager or secret store immediately.

Edit, revoke, or grant everything

Click Edit on any key to change its scopes later — changes take effect immediately, and clients trying a removed permission get a 403 error. Click Revoke to disable a key instantly; anything still using it gets a 401 error on its next request.

There's also a per-key "Grant all access" option that gives the key every current and future capability automatically, so it never needs re-scoping when new tools ship. Per-tool guardrails (like email sending caps) still apply. Leave it off unless you fully control the client.

Step by step

  1. In your admin, go to Integrations → API.
  2. Click "Create new key" and give it a name that identifies the client that will use it.
  3. Choose scopes: pick the Read-only, Content agent, or Full access preset, or select Custom and tick individual permissions. You must select at least one.
  4. Click "Create key".
  5. Copy the full key immediately — it's shown only this once. Store it in a secret manager.
  6. Click "I have saved the key" to finish.

Good to know

  • One key per client: if a tool misbehaves or a key leaks, revoke just that one.
  • Grant the smallest scope set that gets the job done — a reporting dashboard needs only read and analytics scopes.
  • High-risk scopes like granting access and managing subscriptions should only go to integrations you built or fully trust.
  • Never paste an API key into shared documents, chat, or code committed to version control.

Related articles