> ## Documentation Index
> Fetch the complete documentation index at: https://docs.remyx.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# API Scopes

> Key prefixes, the scope catalog, presets, and which surface needs what

Remyx API keys are opaque, named tokens that carry an explicit set of **scopes**. Each scope gates which routes a key can call: a request to a route the key isn't scoped for returns `403 Forbidden`.

Create and manage keys at **Account > API Access**. See [Account & API Keys](/platform/admin/account) for that, and the [API Reference](/api-reference/api-reference#authentication) for how scopes appear in REST calls.

***

## Key prefixes

Every key's prefix tells you what it's for and how long it lives:

| Prefix   | Type           | Use it for                                                                                                             | Expiry        |
| -------- | -------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------- |
| `rmxu_…` | **Personal**   | Your CLI, MCP server, ad-hoc REST calls                                                                                | Never expires |
| `rmxa_…` | **Automation** | Provisioning [automated discovery PRs](/platform/discover/outrider) (minted into repo secrets), CI, unattended scripts | 365-day TTL   |

Both are opaque (prefix + base62 entropy + CRC32 checksum). Remyx stores only `sha256(key)`. The plaintext is shown **once** at creation, then rendered as `rmxu_…last4` for identification.

***

## Scope catalog

Scopes are `category:access`. Access is either `read` or `write`, and **`write` implies `read`** for the same category.

| Category          | `read` grants                              | `write` grants (includes read)                    |
| ----------------- | ------------------------------------------ | ------------------------------------------------- |
| `account`         | View your profile, teams, and key metadata | Update profile and team settings                  |
| `projects`        | List and read projects                     | Create and modify projects                        |
| `interests`       | List and read Research Interests           | Create, update, toggle, and delete interests      |
| `recommendations` | Read recommendations and digests           | Refresh recommendation pools                      |
| `papers`          | Read papers and asset search               | *(read-only; no write scope)*                     |
| `experiments`     | List and read experiments                  | Create, update, and decide experiments            |
| `evals`           | Read eval builds, runs, and templates      | Create/run/cancel evals; manage templates         |
| `workflows`       | Read workflow definitions and state        | Create and modify workflows                       |
| `integrations`    | Read OAuth connection status               | Connect/disconnect providers, manage tokens       |
| `github`          | Read GitHub App installation info          | Mint installation tokens, push branches, open PRs |
| `provisioning`    | Read provisioning status                   | Provision repos and mint CLI/automation tokens    |

<Note>
  `papers` is read-only; there is no `papers:write`. The deprecated `models`/`datasets` surface is **not** in the scope catalog; those routes are reachable only with a legacy full-access key.
</Note>

### Resource-qualified grants

A scope can be narrowed to a specific resource by appending its UUID:

```
interests:read:3f2a9c1e-…   # read only this one interest
```

Use resource-qualified grants when a key should touch a single resource rather than the whole category. A digest bot scoped to one interest is a common case.

***

## Presets

When creating a key you can apply a one-click preset instead of picking scopes by hand:

| Preset             | Scopes granted                                                    | Recommended key type |
| ------------------ | ----------------------------------------------------------------- | -------------------- |
| **Read-only**      | `read` across the catalog                                         | `rmxu_`              |
| **Outrider setup** | `provisioning:write`, `interests:write`, `github:write`, and more | `rmxa_`              |
| **Experiment CI**  | `experiments:write`, `evals:write`, `projects:read`               | `rmxa_`              |
| **Digest bot**     | `recommendations:read`, `papers:read`, `interests:read`           | `rmxa_` or `rmxu_`   |

You can always edit the scope set after applying a preset, before creating the key.

***

## Which surface needs what

| Surface                                       | Key type | Recommended scopes                                                    |
| --------------------------------------------- | -------- | --------------------------------------------------------------------- |
| **CLI / MCP, personal use**                   | `rmxu_`  | A broad personal key (or **Read-only** if you only consume data)      |
| **Automated discovery PRs** (repo automation) | `rmxa_`  | **Outrider setup** preset                                             |
| **CI pipelines**                              | `rmxa_`  | **Experiment CI** preset                                              |
| **Digest / notification bot**                 | `rmxa_`  | **Digest bot** preset (optionally resource-qualified to one interest) |

<Tip>
  Prefer a narrowly-scoped key per use over one broad key everywhere. To rotate, create a new key and revoke the old one; keys are immutable once created.
</Tip>

***

## Related

<CardGroup cols={2}>
  <Card title="Account & API Keys" icon="user" href="/platform/admin/account">
    Create, scope, and revoke named keys
  </Card>

  <Card title="API Reference" icon="code" href="/api-reference/api-reference">
    REST endpoints and authentication
  </Card>

  <Card title="Connectors" icon="link" href="/platform/manage/connectors">
    OAuth connections (GitHub, HuggingFace, and more)
  </Card>

  <Card title="CLI" icon="terminal" href="/cli">
    Authenticate the CLI with a personal key
  </Card>
</CardGroup>
