The catalog
There are eight scopes. Read scopes let a credential list and fetch; write scopes let it create or change content.Read-only by default
A credential created with no scopes selected gets the read-only set:How scopes are enforced
- API keys are granted a fixed set of scopes when you create them. To change scopes, create a new key.
- OAuth connections, including the CLI and MCP clients, are granted scopes when you approve them on the consent screen. A client can request scopes, but you approve what it actually receives, and the grant is capped by your role in the workspace.
- A request for an operation whose scope the credential lacks returns
403 forbidden, and nothing is read or written. Missing the read scope for a resource is also403, even inside your own workspace.
Scope and workspace are separate checks. A resource in another workspace returns
404 regardless
of scope, so an ID from another workspace never reveals whether your scopes would have allowed the
operation.