Create scoped API keys for Pinned Events integrations. Understand channels:read, events:create, owner access, one-time secrets, revocation, and least-privilege access.
What API keys are
An API key is a bearer secret tied to the user who created it. The key owner determines which channels can be listed or targeted by Public API requests.
Default scopes
New keys start with the minimum quickstart pair: channels:read and events:create. Existing keys are not silently changed when defaults change.
| Scope | Allows |
|---|---|
| channels:read | List channels available to the key owner. |
| events:create | Create events in channels available to the key owner. |
| events:read | Read events available through the Public API. |
| events:update | Update supported event fields through the Public API. |
| media:create | Upload media for use as event cover images. |
Owner access
Scopes are necessary but not enough. Runtime authorization still verifies that the key owner has access to the target channel before a create, read, or update operation succeeds.
Missing scope behavior
When a valid API key does not include the scope required by a route, the API returns a 403 insufficient_scope response. Add only the missing scope that the integration actually needs.
Revoked, disabled, and expired keys
Revoked, disabled, and expired keys cannot authenticate Public API requests. Soft-revoked keys remain in audit history but do not count toward the active key cap.