IA

insp.ac API

Developer platform

Scopes

API keys can be constrained to specific operations and resource types. Scopes enforce least-privilege access so each integration only reaches the data it needs.

How scopes work

When you create an API key, you assign it one or more scopes. Each scope grants access to a specific set of API operations. A request using a key without the required scope is rejected with a 403 status.

Scopes are evaluated on every request. If a key has issues:read but not issues:write, it can list and retrieve issues but cannot create or update them.

Available scopes

Scopes follow a resource:action pattern. Current scopes include:

ScopeGrants
issues:readList and retrieve issues
issues:writeCreate and update issues
works:readList and retrieve work orders
works:writeCreate and update work orders
sites:readList and retrieve sites
sites:writeCreate and update sites
assets:readList and retrieve assets
assets:writeCreate and update assets
users:readList and retrieve user profiles
users:writeCreate and update user profiles
checkins:readList and retrieve site check-ins
checkins:writeCreate and update site check-ins
logs:readList and retrieve logs/comments
logs:writeCreate logs/comments
sensors:readList and retrieve sensor readings
sensors:writeIngest sensor readings
templates:readList and retrieve templates
templates:writeCreate and update templates
runs:readList and retrieve inspection runs
runs:writeCreate and update inspection runs
schedules:readList and retrieve unified schedule occurrences
schedules:writeUpdate occurrence status and obligation links
calendar:readList calendar-formatted schedule occurrences
media:writeUpload and complete media attachment flows
integrations:readList integration-platform action/trigger/subscription catalogs
integrations:writeCreate and delete integration-platform trigger subscriptions

Note

A full list of scopes and the operations they protect is available in the interactive reference for each endpoint.

Scope violations

When a request requires a scope that the API key does not have, the API returns a 403 Forbidden response. This is a permanent error for that key configuration — retrying will not help.

403 response body

{
  "error": "Insufficient permissions",
  "code": "FORBIDDEN"
}

Important

A 403 from scope enforcement is different from a 401 authentication failure. If you receive 403, the key is valid but does not have the right permissions. Update the key's scopes in your organization settings.

Least-privilege guidance

Follow these practices to minimize the blast radius if a key is compromised:

  • Create separate keys for separate integrations, each with only the scopes it needs.
  • Prefer read-only scopes for reporting and analytics integrations.
  • Only add write scopes to keys used by systems that create or modify resources.
  • Audit scope assignments periodically and remove scopes that are no longer required.

Scopes and SDKs

SDK clients inherit the scopes of the API key used at initialization. Calling an SDK method for an operation the key cannot access will surface the 403 error through the SDK's standard error handling.

Handling scope errors (TypeScript)

try {
  await client.issues.create({ title: "New issue", status: "open" });
} catch (err) {
  if (err.status === 403) {
    console.error("API key is missing issues:write scope");
  }
}