API Keys and Scopes

An API key in SPG99 is a Bearer token for access to the Control Plane API.

Scope

Three main scopes are supported:

• global
• account
• tenant

The practical meaning is:

• global — the broadest administrative level;
• account — access to one account;
• tenant — access to only one tenant.

Permissions

The most commonly used ones are:

• can_create_tenant
• can_create_db
• can_scale
• can_delete

Even if the can_scale permission is present, manual database lifecycle is still disabled in the current public managed scenario. The database starts automatically on connection and stops after idle.

Recommendations

• grant the minimum permissions required;
• use separate keys for people and for CI;
• do not grant global unnecessarily;
• rotate tokens whenever there is any doubt about their security.

Console and email

For Console login, the token is additionally tied to the email in the account profile. Therefore, keeping the profile up to date is not a formality, but a real part of secure access.