Scopes
Every API call (REST or MCP) is gated by a scope. Scopes follow
resource:action form. Service-account JWTs carry an explicit
scopes[] claim; user JWTs derive scopes from their role.
Catalog
| Family | Scopes |
|---|---|
| org | org:read · org:update · org:delete · org:transfer |
| members | members:list · members:invite · members:remove · members:role |
| provider_keys | provider_keys:list · :create · :update · :rotate · :disable · :delete |
| virtual_keys | virtual_keys:list_all · :list_own · :create · :revoke_own · :revoke_any · :rotate |
| limit_profiles | limit_profiles:list · :create · :update · :delete |
| usage | usage:read_all · usage:read_own · usage:export |
| alerts | alerts:list · :create · :update · :delete · :acknowledge |
| audit | audit:read · audit:export |
| webhooks | webhooks:list · :create · :update · :delete · :replay |
| billing | billing:read · billing:update |
| service_accounts | service_accounts:list · :create · :revoke |
| approvals | approvals:request · approvals:approve |
| enterprise | sso:configure · scim:configure · routing:configure · caching:configure · redaction:configure · roles:* · cost_allocation:configure |
Wildcards
virtual_keys:*— every action in the family.*— every action in every family. Restricted toowner/adminrole; service-accounts cannot mint this.
When in doubt
The OpenAPI spec at api.edgify.net/openapi.json
lists the scope required for each operation under
security[]. Match it exactly.