Skip to main content
Scopes define exactly which endpoints an API key can access. When you create a key, you choose one or more scopes. Every request is checked against the key’s scopes before it reaches the handler. If the key lacks the required scope, the request is rejected with a 403 Forbidden response.

All available scopes

ScopeDescriptionEndpoints
ideaclouds:readList and retrieve IdeaClouds, questions, and clusters3
ideaclouds:writeCreate IdeaClouds (single and batch)2
content:readList and retrieve content, HTML, components, and compliance reports5
content:writeCreate content and trigger generation3
compliance:writeTrigger compliance checks on articles1
content_tools:writeGenerate SEO metadata, schemas, and social snippets2
inventory:readList vehicles, view descriptions, feeds, and stats5
inventory:writeTrigger AI description generation (single and batch)2
webhooks:readList webhook subscriptions and delivery logs2
webhooks:writeCreate, update, delete, and test webhook subscriptions4
site:readView site details, categories, brand voices, elements, and content types5

How scope enforcement works

Every public API endpoint declares one or more required scopes. When a request arrives, the authorizer:
  1. Validates the API key from the X-API-Key header
  2. Loads the key’s assigned scopes from the database
  3. Checks if the key has at least one of the endpoint’s required scopes
  4. If the key lacks the required scope, the request is rejected before the handler runs

403 Forbidden response

When a key does not have the required scope, the API returns: 
{
  "error": {
    "code": "forbidden",
    "message": "This API key requires one of the following scopes: content:write",
    "details": {
      "required_scopes": ["content:write"]
    }
  }
}
The required_scopes array in details tells you exactly which scope(s) you need. Add the scope to your API key in the Hrizn Dashboard, or create a new key with the correct scopes.

Presets

When creating an API key in the dashboard, you can use presets to quickly assign common scope combinations:
PresetScopes included
Full AccessAll 11 scopes
Read Onlyideaclouds:read, content:read, inventory:read, site:read
Content GenerationAll read scopes + ideaclouds:write, content:write, compliance:write, content_tools:write
Inventory Onlyinventory:read, inventory:write, site:read

Endpoints that do not require a specific scope

The following endpoints require a valid API key but are accessible with any scope:
MethodPathDescription
GET/public/reference/scopesList all available scopes
GET/public/reference/content-typesList all content types
GET/public/reference/component-typesList all component types
GET/public/reference/webhook-eventsList all webhook event types
GET/public/reference/content-toolsList all content tools
The health check endpoint does not require an API key at all:
MethodPathDescription
GET/public/healthHealth check (no authentication)

Check your key’s scopes programmatically

curl https://api.app.hrizn.io/v1/public/reference/scopes \
  -H "X-API-Key: hzk_your_key_here"

{
  "data": {
    "scopes": {
      "ideaclouds:read": "List and view IdeaClouds and questions",
      "ideaclouds:write": "Create IdeaClouds",
      "content:read": "List and view content, components, HTML",
      "content:write": "Create content, trigger generation",
      "compliance:write": "Trigger compliance checks",
      "content_tools:write": "Generate schemas, meta, social snippets",
      "inventory:read": "List and view inventory, descriptions, feeds",
      "inventory:write": "Trigger inventory description generation",
      "webhooks:read": "View webhook subscriptions and deliveries",
      "webhooks:write": "Create, update, delete webhook subscriptions",
      "site:read": "View site details, brand voices, elements, categories"
    }
  }
}
Last modified on March 1, 2026