We're excited to announce that the Core API now supports granular permissions for API tokens and OAuth tokens. You now have fine-grained control over what your tokens can access and modify, helping you follow the principle of least privilege and improve your integration's security.
How It Works
When you configure a token, you'll specify Features (what functionality the token can use), Namespaces (the scope of resources it can access), and Permissions (what actions it can perform for each resource it has access to).
Granular Permissions
You can now granularly control access for each resource type:
- Read – Retrieve resource information
- Write – Create and update resources
- Delete – Remove resources
- Send – Create and send messages that start new conversations or reply to active ones (note: importing historical messages only requires Write permission)
Best Practices
✅ Limit permissions to only what your integration needs to prevent misuse or security issues
✅ Check the Core API reference documentation for each endpoint to see which permissions are required
✅ Use the minimum viable scope for your use case—you can always expand later if needed
Get Started
Granular permissions are available now for all API tokens and OAuth tokens.
Questions? Drop them in the comments below!