Definition
An API key scope is a permission boundary that limits what a key can do, such as chat writes, embeddings writes, image requests, or usage reads. Scopes reduce blast radius, but full keys still belong in server-side secret storage, not public tools, frontend code, screenshots, or support messages.
Canonical facts
| Purpose | Limit what a key can access or change. |
|---|---|
| Storage | Keep full keys server-side or in secret managers. |
| Display | Show safe prefixes, not full keys, after creation. |
| Rotation | Rotate keys when exposed or no longer needed. |
| unlimitedcodex | Treat delivered keys and self-service scoped keys as sensitive credentials. |
Why scopes help
A scoped key can reduce damage if one workflow is compromised. For example, a key used only for usage reads should not also be able to send image or chat requests.
What scopes do not solve
Scopes do not make a leaked full key safe. Do not paste keys into public examples, forums, support messages, analytics tools, or client-side code. Rotate any exposed key immediately.
Checks
Use the smallest scope needed for the workload.
Store keys in server-side environment variables or secret managers.
Never paste full keys into public tools.
Rotate keys after exposure or role changes.
Use separate keys for test and production paths when available.
Target queries
FAQ
Can a scoped key be public?
No. Scopes limit permissions, but a full key is still a credential and should stay private.
What should be shown in dashboards?
Dashboards should show safe prefixes or metadata, not full reusable secrets after creation.
What if a key leaks?
Revoke or rotate it, inspect logs for misuse, and move secrets into a safer storage path.