API Key Scoping

API key scoping allows you to restrict which APIs and features a key can access. This is essential for security, team management, and creating limited-access keys for specific use cases. Available on Pro and Mega plans.

Plan Requirement

API key scoping and sub-keys are available on Pro and Mega plans. Upgrade your plan to access these features.

New to Sub-Keys?

If you haven't created sub-keys yet, start with our Sub-Keys guide to learn how to create additional API keys for your team and applications. Then return here to learn about restricting their access.

Overview

Key scoping provides granular access control over your APIVerve resources. You can:

Block specific APIs - Prevent access to certain APIs while allowing others
Allow only specific APIs - Create keys that can only access a whitelist of APIs
Restrict VerveKit features - Control access to JSONBin, MockServer, Forms, and GraphQL
Create sub-keys - Generate additional keys with independent scopes for team members or applications

Scoping works on both your primary API key and any sub-keys you create. Each key can have its own independent scope configuration.

Scope Types

There are two main categories of scopes you can configure:

API Scopes

Control access to individual APIs in the APIVerve marketplace. You can either block specific APIs or block all APIs except those you explicitly allow.

Mode	Description	Example Scope
Block Specific	Block only the listed APIs, allow everything else	`["weather", "news"]`
Allow Only (Whitelist)	Block all APIs except those prefixed with !	`["*apis", "!weather", "!news"]`

VerveKit Feature Scopes

Control access to VerveKit developer tools:

Scope Value	Feature	Description
`jsonbin`	JSONBin	JSON storage and retrieval service
`mock`	MockServer	Mock API endpoint creation
`forms`	Embedded Forms	Form builder and submission handling
`graphql`	GraphQL Playground	GraphQL query interface
`*vervekit`	All VerveKit	Block all VerveKit features at once

Configuring Scopes

You can configure scopes through the dashboard or programmatically via API.

Using the Dashboard

Navigate to API Keys in your dashboard
Click the Scope button on your primary key or any sub-key
Use the APIs section to search and select APIs to block
Use the VerveKit section to toggle feature access
Click Save Changes to apply the scope

Whitelist Mode

To create a key that can only access specific APIs, first toggle "Block All APIs", then add exceptions for the APIs you want to allow. This creates a whitelist where only the exception APIs are accessible.

Scope Format

Scopes are stored as an array of strings. Understanding the format helps when working with the API:

Block Specific APIs

["weather", "news", "stocks"]

This blocks only the Weather, News, and Stocks APIs. All other APIs remain accessible.

Allow Only Specific APIs (Whitelist)

["*apis", "!emailvalidator", "!qrcodegenerator", "!weather"]

The *apis wildcard blocks all APIs. The ! prefix creates exceptions, so only Email Validator, QR Code Generator, and Weather APIs are accessible.

Block All VerveKit Features

["*vervekit"]

Combined Scope (APIs + VerveKit)

["*apis", "!weather", "!news", "jsonbin", "mock"]

This allows only Weather and News APIs, while blocking JSONBin and MockServer features.

Full Access (No Restrictions)

null

Setting the scope to null or an empty array [] grants full access to all APIs and features.

Sub-Keys

Sub-keys are additional API keys linked to your account. They share your subscription's usage quota but can have independent scope restrictions. This is ideal for:

Team members - Give developers access to only the APIs they need
Applications - Create dedicated keys for each app with minimal permissions
Environments - Separate keys for development, staging, and production
Clients - Provide limited access to external parties

Creating Sub-Keys

Go to API Keys in your dashboard
Click Create Sub-Key
Enter a descriptive name (e.g., "Production Server", "Mobile App", "Partner Integration")
Configure the scope to restrict access as needed
Click Create

Sub-Key Limits

The number of sub-keys you can create depends on your plan. Check your dashboard to see your current limit and usage.

Sub-Key Format

Sub-keys have a distinct format to differentiate them from primary keys:

Key Type	Prefix	Example
Primary Key	`apv_`	`apv_abc123...`
Sub-Key	`apv_sbk_`	`apv_sbk_xyz789...`

Sub-Key Billing

Sub-keys share your account's usage quota. All API calls made with sub-keys count toward your plan's limits and are billed to the parent account. This means:

No additional subscription costs for sub-keys
All usage is consolidated in your analytics
Rate limits are shared across all keys

Managing Scopes via API

You can programmatically manage key scopes using the Dashboard API.

Update Primary Key Restrictions

PUT /api/apikeys/{userId}/restrictions
Content-Type: application/json
Authorization: Bearer {session_token}

{
  "blockScope": ["weather", "news", "*vervekit"]
}

Create Sub-Key with Scope

POST /api/apikeys/{userId}/subkeys
Content-Type: application/json
Authorization: Bearer {session_token}

{
  "name": "Production Server",
  "blockScope": ["*apis", "!emailvalidator", "!weather"]
}

Update Sub-Key Scope

PUT /api/apikeys/{userId}/subkeys/{subKeyId}
Content-Type: application/json
Authorization: Bearer {session_token}

{
  "name": "Production Server",
  "blockScope": ["*apis", "!emailvalidator", "!weather", "!qrcodegenerator"]
}

Scope Enforcement

When a key attempts to access a blocked API or feature, the request is rejected with a 403 Forbidden response:

403 Forbidden - Access Blocked

403

{
  "status": "error",
  "error": "Access to weather is blocked for this API key",
  "data": null
}

The error message clearly indicates which API or feature was blocked, making it easy to diagnose scope issues.

Scope Change Propagation

Scope changes may take up to 10 minutes to fully propagate across all edge servers. During this time, you may see inconsistent behavior. For immediate effect, rotate to a new key after changing scopes.

Limitations

Be aware of these limitations when using key scoping:

Integration Restrictions

Sub-keys cannot be used with third-party integrations. The following platforms require your primary API key:

Zapier
Make (Integromat)
Pabbly Connect
Power Automate
n8n

Why This Restriction?

Integrations require specific authentication flows that are only supported by primary keys. If you need restricted access for integrations, configure scopes on your primary key instead.

Scope Granularity

API-level only - Scopes work at the API level, not individual endpoints
No HTTP method restrictions - Cannot restrict GET vs POST for a given API
No IP-based restrictions - Scopes don't support geographic or IP filtering
No time-based restrictions - Cannot set time windows for access

Sub-Key Naming

Maximum 50 characters
Only letters, numbers, spaces, hyphens, and underscores allowed
Names must be unique within your account

Common Use Cases

Development Team Access

Create sub-keys for each developer with access only to APIs they're working on:

Frontend Developer Key

["*apis", "!qrcodegenerator", "!imageresizer", "!colorpalette"]

Production Application

Create a minimal-permission key for your production app:

Production Key (Strict Whitelist)

["*apis", "!emailvalidator", "!weather", "*vervekit"]

This key can only use Email Validator and Weather APIs, with all VerveKit features disabled.

Partner Integration

Provide a limited key to external partners:

Partner Key (Single API)

["*apis", "!currencyconverter"]

Partners can only access the Currency Converter API, nothing else.

Testing Environment

Block production-only APIs in your test environment:

Test Environment Key

["emailsender", "smssender", "paymentprocessor"]

This prevents accidentally triggering real emails, SMS, or payments during testing.

Best Practices

Principle of Least Privilege - Always grant the minimum access required. Start with a restrictive scope and add permissions as needed.
Use Descriptive Names - Name sub-keys clearly (e.g., "Production-Backend", "Dev-John", "Partner-AcmeCorp") so you can easily identify their purpose.
Audit Regularly - Review your sub-keys and their scopes periodically. Remove unused keys and tighten scopes that are too permissive.
Separate Environments - Use different sub-keys for development, staging, and production to prevent cross-environment issues.
Monitor Usage - Check your analytics dashboard to see which APIs each key is accessing.
Document Your Scopes - Keep internal documentation of which keys have which scopes, especially when working in teams.

Ready to Configure Key Scoping?

Head to your API Keys dashboard to create sub-keys and configure scopes. Need a Pro or Mega plan? View pricing options.

What's Next?

Continue your journey with these recommended resources

Quick Start

Get up and running with your first API call

Making Requests

Learn how to structure and send API requests

Rate Limits

Understand rate limiting and optimization strategies

Was this page helpful?