# Access ## Grant an API key access to a workspace `client.APIKeys.Access.Add(ctx, id, body) (*APIKey, error)` **post** `/v1/account/api_keys/{id}/workspaces` Grants this API key access to the specified workspace. Idempotent — adding an already-associated workspace is a no-op. Returns the updated API key with refreshed workspace preview and total. ### Parameters - `id string` - `body APIKeyAccessAddParams` - `WorkspaceID param.Field[string]` The workspace to grant access to. ### Returns - `type APIKey struct{…}` An API key for the account. Use workspace-association RPCs to grant the key access to specific workspaces; a key with zero workspaces is valid but cannot access workspace-scoped resources. - `Metadata AccountResourceMetadata` AccountResourceMetadata is used to represent a resource that is associated to an account but not to a workspace. - `ID string` Unique identifier for the resource (prefixed ULID, e.g., "apikey_01HXK...") - `AccountID string` Account this resource belongs to for multi-tenant isolation (prefixed ULID) - `Name string` Human-readable name for the resource (e.g., "Customer Support Agent", "Email Tool") Required for resources that users interact with directly - `ProfileID string` - `ExternalID string` External ID for the resource (e.g., a workflow ID from an external system) - `Labels map[string, string]` Arbitrary key-value pairs for categorization and filtering Examples: {"environment": "production", "team": "platform", "version": "v2"} - `Spec APIKeySpec` Configuration for an API key. - `Token string` The bearer token used to authenticate as this API key. Returned only on creation and rotation; subsequent reads omit this field. - `Description string` Free-form description of what this API key is used for. - `Permissions []string` Permissions granted to this key. Each entry is a colon-separated verb:resource string (e.g. "manage:agents"). Currently has no enforced effect; reserved for future fine-grained authorization. - `System bool` True when this key is managed by the system (e.g. the auto-provisioned global account key). System keys cannot be deleted but can be rotated. - `Info APIKeyInfo` - `CreatedBy Profile` A profile identifies a user or non-human principal (such as an API key) at the account level. Profiles are account-scoped and can be granted access to multiple workspaces. - `Metadata AccountResourceMetadata` AccountResourceMetadata is used to represent a resource that is associated to an account but not to a workspace. - `Spec ProfileSpec` Configuration for a profile. - `Type ProfileSpecType` Whether this profile represents a human user, an API key, or a system principal. - `const ProfileSpecTypeProfileTypeUnspecified ProfileSpecType = "PROFILE_TYPE_UNSPECIFIED"` - `const ProfileSpecTypeProfileTypeUser ProfileSpecType = "PROFILE_TYPE_USER"` - `const ProfileSpecTypeProfileTypeAPIKey ProfileSpecType = "PROFILE_TYPE_API_KEY"` - `const ProfileSpecTypeProfileTypeSystem ProfileSpecType = "PROFILE_TYPE_SYSTEM"` - `Email string` Email address of the profile. Required and unique within an account for user profiles. - `Name string` Display name (e.g., "Bobby Tables"). - `WorkspacesPreview []BareMetadata` Up to a small number of workspaces this key has access to, intended for display ("Workspace 1, Workspace 2, and 4 more"). Use ListAPIKeyWorkspaces for the full paginated list. - `ID string` - `Name string` Human-readable name of the referenced resource, populated by the server on reads for convenience. Absent on references to resources that do not have a name (e.g., objective tasks). - `WorkspacesTotal int64` Total number of workspaces this key has access to. ### Example ```go package main import ( "context" "fmt" "github.com/cadenya/cadenya-go" "github.com/cadenya/cadenya-go/option" ) func main() { client := cadenya.NewClient( option.WithAPIKey("My API Key"), ) apiKey, err := client.APIKeys.Access.Add( context.TODO(), "id", cadenya.APIKeyAccessAddParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", apiKey.Metadata) } ``` #### Response ```json { "metadata": { "id": "id", "accountId": "accountId", "name": "name", "profileId": "profileId", "externalId": "externalId", "labels": { "foo": "string" } }, "spec": { "token": "token", "description": "description", "permissions": [ "string" ], "system": true }, "info": { "createdBy": { "metadata": { "id": "id", "accountId": "accountId", "name": "name", "profileId": "profileId", "externalId": "externalId", "labels": { "foo": "string" } }, "spec": { "type": "PROFILE_TYPE_UNSPECIFIED", "email": "email", "name": "name" } }, "workspacesPreview": [ { "id": "id", "name": "name" } ], "workspacesTotal": 0 } } ``` ## Revoke an API key's access to a workspace `client.APIKeys.Access.Remove(ctx, id, workspaceID) error` **delete** `/v1/account/api_keys/{id}/workspaces/{workspaceId}` Revokes this API key's access to the specified workspace. Idempotent. A key may have zero workspaces and remains valid. ### Parameters - `id string` - `workspaceID string` ### Example ```go package main import ( "context" "github.com/cadenya/cadenya-go" "github.com/cadenya/cadenya-go/option" ) func main() { client := cadenya.NewClient( option.WithAPIKey("My API Key"), ) err := client.APIKeys.Access.Remove( context.TODO(), "id", "workspaceId", ) if err != nil { panic(err.Error()) } } ``` ## List the workspaces an API key has access to `client.APIKeys.Access.List(ctx, id, query) (*CursorPagination[Workspace], error)` **get** `/v1/account/api_keys/{id}/workspaces` Lists the workspaces this API key has access to. Cursor-paginated. ### Parameters - `id string` - `query APIKeyAccessListParams` - `Cursor param.Field[string]` Pagination cursor from previous response. - `Limit param.Field[int64]` Maximum number of results to return. ### Returns - `type Workspace struct{…}` - `Metadata AccountResourceMetadata` AccountResourceMetadata is used to represent a resource that is associated to an account but not to a workspace. - `ID string` Unique identifier for the resource (prefixed ULID, e.g., "apikey_01HXK...") - `AccountID string` Account this resource belongs to for multi-tenant isolation (prefixed ULID) - `Name string` Human-readable name for the resource (e.g., "Customer Support Agent", "Email Tool") Required for resources that users interact with directly - `ProfileID string` - `ExternalID string` External ID for the resource (e.g., a workflow ID from an external system) - `Labels map[string, string]` Arbitrary key-value pairs for categorization and filtering Examples: {"environment": "production", "team": "platform", "version": "v2"} - `Spec WorkspaceSpec` - `Description string` - `Status WorkspaceStatus` Lifecycle status of the workspace. Archived workspaces reject all requests scoped to them. Server-populated. - `const WorkspaceStatusStatusEnabled WorkspaceStatus = "STATUS_ENABLED"` - `const WorkspaceStatusStatusDisabled WorkspaceStatus = "STATUS_DISABLED"` - `const WorkspaceStatusStatusArchived WorkspaceStatus = "STATUS_ARCHIVED"` ### Example ```go package main import ( "context" "fmt" "github.com/cadenya/cadenya-go" "github.com/cadenya/cadenya-go/option" ) func main() { client := cadenya.NewClient( option.WithAPIKey("My API Key"), ) page, err := client.APIKeys.Access.List( context.TODO(), "id", cadenya.APIKeyAccessListParams{ }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "items": [ { "metadata": { "id": "id", "accountId": "accountId", "name": "name", "profileId": "profileId", "externalId": "externalId", "labels": { "foo": "string" } }, "spec": { "description": "description" }, "status": "STATUS_ENABLED" } ], "pagination": { "nextCursor": "nextCursor", "total": 0 } } ```