Capabilities
API keys support scoped permissions per functional area, so each key holds only the permissions it needs. For the full list of scopes and the endpoints each one grants, see Authentication — Scopes.Best practices
- Use the principle of least privilege — only grant necessary capabilities.
- Rotate API keys regularly for security.
- Use different keys for different services or applications.