Scopes
Choose the least-privilege scopes for API keys and MCP grants.
Scopes control access to REST APIs and MCP grants.
MCP grants created from the dashboard are read-only by default. The dashboard write switch adds or removes whatsapp:write for that MCP grant.
| Scope | REST APIs | MCP resources |
|---|---|---|
mcp:whatsapp | Not used by REST API keys. | Required for the /mcp/whatsapp resource. |
whatsapp:read | WhatsApp read endpoints, /v1/me, and /v1/usage. | Allows read tools when granted to the WhatsApp MCP resource. |
whatsapp:write | POST /v1/whatsapp/pair, sends, reactions, edits, deletes, read receipts, groups, and unlink. | Allows write tools when granted to the WhatsApp MCP resource. |
webhooks:manage | /v1/webhooks/* | Not used by the WhatsApp MCP server. |
Create separate API keys for production services, local testing, and CI. Revoke or rotate keys independently without changing the WhatsApp connection.