Permissions and scopes
Permissions are implemented as scopes. Each scope groups a set of related operations into a single capability you can grant to a key:translate:text covers text translation, glossaries:read covers reading glossaries, and so on. “Permissions” is the user-facing feature; “scopes” is the technical mechanism behind it.
Why scoped keys
Before permissions were introduced in June 2026, every DeepL API key had full access to every endpoint. That’s convenient, but it means a key embedded in a translation widget could also delete your glossaries, and a leaked key exposes your entire API surface. Scoped keys apply the principle of least privilege: each key gets exactly the access its workload needs. A scoped key that leaks, or a service with a bug, can only do what its scopes allow.| Key type | Choose when |
|---|---|
| Unrestricted | The key needs access to any endpoint and doesn’t need to be limited |
| Scoped | The key should reach only specific endpoints, for example to prevent glossaries from being modified inadvertently |
How enforcement works
A developer key becomes scoped the moment you assign it one or more scopes. Once scoped:- The key can call only the endpoints fully covered by its scopes.
- Every other endpoint returns
403 Forbidden, including endpoints that have no scope requirement of their own (currently the case for Voice API endpoints). - Some endpoints require more than one scope. The key must hold all of them; if any is missing, the request is denied.
detail field of the response lists what’s missing: