read:alerts and a compromised or misbehaving integration can look, but not touch.
1. Mint a read:alerts-only key
Keys are minted in the Developer Portal under your organization’s API Keys settings (see Authentication). Minting a key with a specific scope subset requires the minting key or user to hold admin:keys.
When creating the key, select only read:alerts — leave write:alerts (and every other scope your integration doesn’t need) unchecked. The resulting key is prefixed sk_live_, same as any other key.
write:alerts implicitly grants read:alerts — a full read/write alerts key can do everything a read-only key can. Going the other way isn’t true: a read:alerts-only key can never create, update, toggle, or delete a rule. See the full table on the Scopes page.2. Verify what it can do
Reads succeed:curl
403:
curl
PUT, DELETE, and the /toggle endpoint — a read-only key gets 403 on all of them, not a silent no-op.
3. Use it from your integration
python
Troubleshooting
403 insufficient_scopeon a call you expected to work: list/get on/v1/alerts/rulesand/v1/alerts/eventsonly needread:alerts— if you’re getting403there, the key wasn’t actually minted with that scope. Re-check it in the Developer Portal.- Need the integration to also pause or edit rules later: don’t loosen the existing key — mint a second key with
write:alertsand use it only for the write path. Keeping read and write traffic on separate keys makes it obvious from request logs which key did what. - Rotating a read-only key: same process as any other key — mint the replacement, cut the integration over, then revoke the old one. See Rotation and revocation.