WhoWorked

Scopes & Permissions

Understand API key scopes and what each permission level allows.

API keys can be created with specific scopes to limit what they can access. This follows the principle of least privilege — only grant the permissions your integration needs.

Available scopes

ScopeDescription
entries:readRead time entries
entries:writeCreate, update, and delete time entries
projects:readRead projects and tasks
projects:writeCreate, update, and delete projects and tasks
clients:readRead clients
clients:writeCreate, update, and delete clients
tags:readRead tags
tags:writeCreate, update, and delete tags
work_sessions:readRead AI work sessions
work_sessions:writeLog AI work sessions

Scope combinations

When creating an API key, you can select any combination of scopes. Common patterns:

  • Read-only integration — Select all *:read scopes for dashboards and reporting.
  • Time tracking botentries:read + entries:write + projects:read.
  • AI agententries:write + projects:read + work_sessions:write for logging work.

Error handling

If your API key lacks a required scope, the API returns 403 Forbidden with a message indicating which scope is needed.

On this page