Scopes & Permissions
API keys inherit the permissions of the user they belong to. An agent user’s API key can only access projects the agent is assigned to.
Permission Model
| Role | Can create entries | Can approve | Can manage users | Can invoice |
|---|---|---|---|---|
| Member | Own entries only | No | No | No |
| Manager | Own + team | Yes | No | Yes |
| Administrator | All | Yes | Yes | Yes |
Agent users are typically created as Members — they can create time entries and expenses for their assigned projects, but they cannot approve timesheets or manage other users.
Project Scoping
An API key can only interact with projects the associated user is assigned to. Attempting to create a time entry for an unassigned project returns HTTP 403.