Skip to content

Integrations permissions reference

This page lists the API scopes that gate Integrations features, what each scope controls, and which operations it covers.

Scope Controls Operations
api_keys:read View the API-key list (masked) api_keys_list
api_keys:write Create, rotate, and revoke API keys api_keys_create, api_keys_rotate, api_keys_revoke
webhooks:read View webhook endpoint list and delivery log webhook_endpoints_list, webhook_deliveries_list
webhooks:write Create webhook endpoints and run test sends webhook_endpoints_create, webhook_endpoints_test
webhooks:replay Replay a recorded delivery webhook_deliveries_replay
integrations:read View connected integrations integrations_list, integrations_get
integrations:write Disconnect an integration integrations_disconnect

The admin console UI maps a role’s RBAC permissions to the underlying API scopes. The story-level UI permission names and their API scope equivalents are:

integrations:manage-api-keys → api_keys:read + api_keys:write
integrations:manage-webhooks → webhooks:read + webhooks:write
integrations:replay-webhook → webhooks:replay
integrations:connect-no-code → Zapier-side consent gate; Disconnect gates on integrations:write

Note: The reconciliation between UI RBAC permission names and API spec scope names is tracked as OQ-IA-3. The Admin & Security RBAC area (12.2) is the authoritative source for role permission assignments.

The Developer section (API keys and Webhooks cards) on the Integrations landing page is hidden — not greyed — for a Volunteer Admin when API access is not enabled for the organization. This is a per-org toggle (the Zapier connect-no-code permission is a Zapier-side consent gate, not what controls Developer section visibility). The Volunteer Admin always sees the Zapier card and any connected-app cards.

The Volunteer Admin’s Zapier flow does not require them to select scopes or view an HMAC secret — those surfaces are reserved for the developer register.