Add granular scoping controls for API keys

What is the challenge?

• API keys inherit the full permissions of the user who creates them, and there does not appear to be a way to scope the key itself to specific workspaces, folders, or record types.

• This creates concern internally when building integrations for Aha! Knowledge, especially around discovery or strategy content that teams expect to remain tightly controlled.

• It seems like even when a user is a Knowledge-only user, they can still get discovery items via the API

What is the impact?

• The current model creates hesitation during security and stakeholder reviews. Teams want clearer boundaries around what an integration can and cannot access.

Describe your idea.

• If this capability does not already exist, it would be helpful to allow admins to scope API keys independently of the user’s broader permissions.

• Examples might include:

  • Limiting a key to specific workspaces

  • Restricting by record type such as pages only

  • Restricting access to specific folders within Knowledge or Develop

  • Enforcing read-only access at the key level