API scopes¶

Enterprise feature

The REST API is available on Enterprise plans. Compare plans to find the right fit for your team.

Scopes are permissions that control what an API key can do. Think of them like a keycard — each scope unlocks access to a specific part of the API while keeping everything else locked.

How scopes work¶

When you create an API key, you select exactly which scopes it should have. Then, every time you make an API request:

FSM Navigator checks the scopes assigned to your key.
If the key has the required scope, the request is processed.
If the key is missing the required scope, you receive a 403 Forbidden error.

Scopes follow a resource:action format. For example:

jobs:read — permission to read job data
jobs:write — permission to create and update jobs
customers:read — permission to read customer data

You can update a key's scopes at any time from Settings → Company Settings → API Keys without regenerating the key itself.

Available scopes¶

FSM Navigator offers fourteen scopes across six resource types:

Scope	Resource	Permission	What it allows
`jobs:read`	Jobs	Read	List all jobs and retrieve individual job details
`jobs:write`	Jobs	Write	Create new jobs, update existing jobs, and change job status
`customers:read`	Customers	Read	List customers and retrieve customer details with locations
`customers:write`	Customers	Write	Create new customers and update customer information
`assets:read`	Assets	Read	List assets, view asset details, and access service history
`assets:write`	Assets	Write	Create new assets and update asset records
`assets:transfer`	Assets	Transfer	Transfer assets between locations or technicians
`assets:meter`	Assets	Meter	Submit meter readings for tracked assets
`assets:service`	Assets	Service	Create service and maintenance records for assets
`inventory:read`	Inventory	Read	List and retrieve inventory items, stock levels, transactions, and locations
`inventory:write`	Inventory	Write	Create, update, delete inventory items, and adjust stock quantities
`inventory:transfer`	Inventory	Transfer	Transfer stock between locations
`technicians:read`	Technicians	Read	List technicians and view profiles including schedules

Write-implies-read behavior¶

Any scope that grants write, transfer, meter, or service access automatically includes the corresponding read access for the same resource. This is enforced server-side — you do not need to request both scopes.

If key has	Implicitly grants
`jobs:write`	`jobs:read`
`customers:write`	`customers:read`
`assets:write`	`assets:read`
`assets:transfer`	`assets:read`
`assets:meter`	`assets:read`
`assets:service`	`assets:read`
`inventory:write`	`inventory:read`
`inventory:transfer`	`inventory:read`

Fewer scopes, same access

If your integration creates and reads jobs, you only need jobs:write — the read access comes for free. This keeps your key configuration simple.

Scope-to-endpoint mapping¶

Each API endpoint requires a specific scope. Use this table to determine which scopes your integration needs.

Jobs¶

Method	Endpoint	Required scope
`GET`	`/api/v1/jobs`	`jobs:read`
`GET`	`/api/v1/jobs?id={id}`	`jobs:read`
`POST`	`/api/v1/jobs`	`jobs:write`
`PUT`	`/api/v1/jobs?id={id}`	`jobs:write`
`PATCH`	`/api/v1/jobs?id={id}`	`jobs:write`

Customers¶

Method	Endpoint	Required scope
`GET`	`/api/v1/customers`	`customers:read`
`GET`	`/api/v1/customers?id={id}`	`customers:read`
`POST`	`/api/v1/customers`	`customers:write`
`PUT`	`/api/v1/customers?id={id}`	`customers:write`

Assets¶

Method	Endpoint	Required scope
`GET`	`/api/v1/assets`	`assets:read`
`GET`	`/api/v1/assets?id={id}`	`assets:read`
`POST`	`/api/v1/assets`	`assets:write`
`PUT`	`/api/v1/assets?id={id}`	`assets:write`
`PATCH`	`/api/v1/assets?id={id}`	`assets:write`
`POST`	`/api/v1/assets` (meter reading)	`assets:meter`
`POST`	`/api/v1/assets` (transfer)	`assets:transfer`
`POST`	`/api/v1/assets` (service record)	`assets:service`

Inventory¶

Method	Endpoint	Required scope
`GET`	`/api/v1/inventory`	`inventory:read`
`GET`	`/api/v1/inventory?id={id}`	`inventory:read`
`GET`	`/api/v1/inventory?id={id}&sub=stock`	`inventory:read`
`GET`	`/api/v1/inventory?id={id}&sub=transactions`	`inventory:read`
`GET`	`/api/v1/inventory?sub=locations`	`inventory:read`
`GET`	`/api/v1/inventory?sub=low-stock`	`inventory:read`
`POST`	`/api/v1/inventory`	`inventory:write`
`POST`	`/api/v1/inventory?id={id}&sub=adjust`	`inventory:write`
`POST`	`/api/v1/inventory?sub=transfer`	`inventory:transfer`
`PUT`	`/api/v1/inventory?id={id}`	`inventory:write`
`PATCH`	`/api/v1/inventory?id={id}`	`inventory:write`
`DELETE`	`/api/v1/inventory?id={id}`	`inventory:write`

Technicians¶

Method	Endpoint	Required scope
`GET`	`/api/v1/technicians`	`technicians:read`
`GET`	`/api/v1/technicians?id={id}`	`technicians:read`

Choosing the right scopes¶

Follow the principle of least privilege: only grant a key the scopes it actually needs. If your integration only reads data, don't add write scopes.

Common integration scenarios¶

Integration type	Recommended scopes	Why
Dashboard / reporting	`jobs:read`, `customers:read`, `technicians:read`	Read-only access for analytics and visualizations
Job creation system	`jobs:read`, `jobs:write`, `customers:read`	Create and manage jobs, look up customers for assignment
Full CRM sync	`jobs:read`, `jobs:write`, `customers:read`, `customers:write`	Two-way synchronization with your CRM
Asset tracking	`assets:read`, `assets:write`, `assets:meter`, `assets:service`	Full asset lifecycle management
Inventory sync	`inventory:read`, `inventory:write`, `inventory:transfer`	Manage parts, stock levels, and warehouse transfers
Dispatch integration	`jobs:read`, `jobs:write`, `technicians:read`	Assign and track jobs across your team
IoT meter collection	`assets:meter`	Automated meter readings from connected devices

One key per integration

Create a separate API key for each integration or service that connects to your account. This way you can revoke access to one system without disrupting others.

Error responses¶

If you make a request that requires a scope your key doesn't have, the API returns a 403 Forbidden response:

{
  "success": false,
  "error": "insufficient_scope",
  "message": "Required scope: assets:write",
  "required_scope": "assets:write"
}

How to fix scope errors

If you receive a 403 insufficient_scope error:

Go to Settings → Company Settings → API Keys.
Click Edit on the affected key.
Enable the missing scope shown in the error response.
Save your changes — they take effect immediately.

Quick example¶

A key with only jobs:read can list jobs but cannot create them:

Allowed — list jobsBlocked — create job

curl -X GET "https://fsmnavigator.com/api/v1/jobs" \
  -H "X-API-Key: YOUR_API_KEY"

{
  "success": true,
  "data": [
    {
      "job_id": 42,
      "job_title": "AC Repair",
      "job_status": "Pending"
    }
  ]
}

curl -X POST "https://fsmnavigator.com/api/v1/jobs" \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"job_title": "AC Repair", "job_priority": "High"}'

{
  "success": false,
  "error": "insufficient_scope",
  "message": "Required scope: jobs:write",
  "required_scope": "jobs:write"
}

Important notes¶

At least one scope required

Every API key must have at least one scope assigned. You cannot create a key with no scopes.

Scopes can be changed anytime

You can add or remove scopes from an existing key at any time from Settings → Company Settings → API Keys. The change takes effect immediately — no need to regenerate the key.

Security best practice

Create separate API keys for different integrations, each with only the scopes that integration requires. This limits the blast radius if a key is ever compromised.

Next steps¶

Authentication — learn how to create and manage API keys
Endpoints overview — full list of available endpoints
Error codes — complete error reference
Best practices — tips for building reliable integrations