Scoped API keys

Note

Creating scoped API keys requires an Enterprise license. Basic (unscoped) keys are free.

A scoped API key narrows what a key can do — least-privilege publishing. Instead of a key that can push anything, you issue a key restricted to:

• a package pattern (a glob like Acme.*), and/or
• a set of operations (e.g. push-new-id vs push-version).

Creating one

As an admin, open /admin/api-keys, create a key, and set its package pattern and/or operations. The restrictions are enforced at push time: a push that falls outside the key’s pattern or operations is rejected.

On Community edition, creating a scoped key is blocked (unscoped keys still work). Apply an Enterprise license to enable it; see Licensing. Existing scoped keys keep enforcing their restrictions even if a license lapses — only creating new scoped keys is gated.