Right now the REST API (and the MCP) isn’t really usable for us because keys can’t be scoped. To do something as harmless as pull analytics for an automated monthly report, I have to hand out a key that can also delete sites, environments, backups — everything.
That’s too broad to be comfortable storing anywhere (a script, a spreadsheet integration, a CI secret, etc.), so in practice we just can’t use it.
Would love to see permission scopes / read-only keys — e.g. a key that can read analytics and nothing else. That alone would unlock a lot of automation for us.
I genuinely appreciate your feedback. I understand your concerns regarding the current API key permissions, which are indeed tied to the user who generates the key. As it stands, only Company owners, company administrators, and company developers can create API keys, and I recognize that this means they also have the ability to delete sites, environments, backups, and more.
Your suggestion for the option to generate an API key with custom permissions or read-only access is valuable, and I will make sure to pass it along. If this feature gets approved and implemented in the future, we’ll be sure to keep you updated. Thank you for sharing your thoughts with us!