Scopes

Every endpoint requires a specific scope. A key only carries the scopes you granted it — always grant the least privilege an integration needs. A request missing a required scope returns HTTP 403 with missing_scope.

How scopes work

  • Each operation declares its required scope (shown as Required scopes on every reference page).
  • Read and write are separate — e.g. courses.read never allows writes.
  • Start with read-only keys, and add write scopes only when needed.

Available scopes

Read

academy.read, courses.read, lessons.read, quizzes.read, sessions.read, bookings.read, attendance.read, students.read, enrollments.read, certificates.read, memberships.read, assignments.read, analytics.read, events.read, webhooks.read

Write

academy.write, theme.write, seo.write, courses.write, lessons.write, quizzes.write, pages.write, sessions.write, bookings.write, students.write, enrollments.write, certificates.write, memberships.write, assignments.write, coupons.write, banners.write, notifications.write, webhooks.write, media.generate

⚠️

Some capabilities are never issuable in v1 — payments, hard deletes of revenue/progress-bearing data, domains, team/roles, and AI execution.