CTRLK

Shared components

Secure your CPaaS X setup

|

View as Markdown

CPaaS X isolates each entity's data at the platform level. When you provide API access to customers or services, scoped API keys add an additional layer of control. Unlike standard API keys which provide account-wide access, scoped API keys restrict usage to specific applications or entities. This enables granular access control and limits the impact if credentials are compromised.



Standard vs scoped API keys [#standard-vs-scoped-api-keys]

The following table compares standard and scoped API keys:


DimensionStandard API keyScoped API key
Application accessAll applicationsSpecific application(s)
Entity accessAll entitiesSpecific entity/entities
Endpoint accessAll endpointsAllowed endpoints only
Channel accessAll channelsAllowed channels only
If compromisedEntire account at riskOnly that scope affected


When to use scoped API keys [#when-to-use-scoped-api-keys]

Customer access

Customer access

Give each customer an entity-scoped key so they can only access their own data. For example, customer-a gets a key scoped to their entity only.

Team access control

Team access control

Different teams access only their assigned resources. Marketing gets a marketing-entity key, support gets a support-entity key.

Environment separation

Environment separation

Application-scoped keys for production and staging environments. Each key can only access its assigned application.



API key scope dimensions [#api-key-scope-dimensions]

API keys can be scoped across three dimensions. You can combine any of them:

Application and entity scope

Application / Entity

Unscoped (all), application-scoped (one application, all its entities), entity-scoped (one entity), or application + entity-scoped (one entity within one application).

Endpoint access

Endpoint access

Messaging (send messages), reporting (delivery reports and analytics), logs (message logs and event history), provisioning (manage resources and configurations).

Channel scope

Channel

All channels (unrestricted), or restricted to specific channels (SMS, Email, WhatsApp, Voice, and more).


Learn more

CPaaS X scoped API keys build on the Infobip platform's authentication and authorization framework.

  • Authentication methods: See API authentication for supported auth methods (API key header, Basic Auth, OAuth 2.0).
  • Scopes and roles: See API authorization for how scopes control access to API endpoints.


Related pages

Manage API keys
Step-by-step instructions for creating scoped API keys.

Applications and entities
Core concepts and organizational hierarchy.

Sending strategies
Resource associations and intelligent routing.

Webhook subscriptions
Real-time delivery notifications per entity.