Scopes

Every API key carries a list of scopes. A request fails with 403 FORBIDDEN if the key is missing any required scope, with a message like:

Insufficient permissions. Missing scopes: leads:write

Available scopes

Scope	Grants
`leads:read`	List, get, search leads. Read activities and pipeline stages.
`leads:write`	Create, update, delete leads. Add notes and communications.
`projects:read`	List and get projects and units.
`projects:write`	Create, update, delete projects and units.
`members:read`	List organization members.
`pipeline:read`	Read pipeline stages (also covered by `leads:read`).
`lead-sources:read`	Read the lead-source catalog (also covered by `leads:read`).
`webhooks:manage`	List event types, create / list / delete webhook subscriptions.

Each endpoint section in the API Reference lists the exact scope it requires.

Common patterns:

Lead ingestion only (Meta Ads form, web form, landing page): leads:write.
Two-way sync (a CRM tool that needs to read and update leads): leads:read, leads:write.
BI / reporting (read-only dashboards): leads:read, projects:read, members:read.
Catalog publisher (sync units availability to a website): projects:read, projects:write.
Webhook orchestrator (Zapier, Make, n8n connectors): webhooks:manage plus the read/write scopes you actually use.

You can edit a key’s scopes in the dashboard at any time. Changes take effect on the next request.