Secure your CPaaS X setup
CPaaS X isolates each entity's data at the platform level. When you provide API access to customers or services, scoped API keys add an additional layer of control. Unlike standard API keys which provide account-wide access, scoped API keys restrict usage to specific applications or entities. This enables granular access control and limits the impact if credentials are compromised.
Standard vs scoped API keys [#standard-vs-scoped-api-keys]
The following table compares standard and scoped API keys:
| Dimension | Standard API key | Scoped API key |
|---|---|---|
| Application access | All applications | Specific application(s) |
| Entity access | All entities | Specific entity/entities |
| Endpoint access | All endpoints | Allowed endpoints only |
| Channel access | All channels | Allowed channels only |
| If compromised | Entire account at risk | Only that scope affected |
When to use scoped API keys [#when-to-use-scoped-api-keys]
Customer access
Give each customer an entity-scoped key so they can only access their own data. For example, customer-a gets a key scoped to their entity only.
Team access control
Different teams access only their assigned resources. Marketing gets a marketing-entity key, support gets a support-entity key.
Environment separation
Application-scoped keys for production and staging environments. Each key can only access its assigned application.
API key scope dimensions [#api-key-scope-dimensions]
API keys can be scoped across three dimensions. You can combine any of them:
Application / Entity
Unscoped (all), application-scoped (one application, all its entities), entity-scoped (one entity), or application + entity-scoped (one entity within one application).
Endpoint access
Messaging (send messages), reporting (delivery reports and analytics), logs (message logs and event history), provisioning (manage resources and configurations).
Channel
All channels (unrestricted), or restricted to specific channels (SMS, Email, WhatsApp, Voice, and more).
CPaaS X scoped API keys build on the Infobip platform's authentication and authorization framework.
- Authentication methods: See API authentication for supported auth methods (API key header, Basic Auth, OAuth 2.0).
- Scopes and roles: See API authorization for how scopes control access to API endpoints.
Manage API keys
Step-by-step instructions for creating scoped API keys.
Applications and entities
Core concepts and organizational hierarchy.
Sending strategies
Resource associations and intelligent routing.
Webhook subscriptions
Real-time delivery notifications per entity.