Skip to main content

Scoped Keys

Secure, user-specific API access tokens for connected devices

After a user successfully goes through the Connect flow and connects their account from a device manufacturer, a scoped key will be created allowing access to data related to this user's devices.

Scoped keys enable you to build customer-facing applications (web portals, mobile apps) that can directly access the Texture API without requiring a backend server to proxy requests.

Getting Your Scoped Key

Using the Texture Connect SDK

If you are using the Texture Connect SDK, then the scoped key will be returned to your application in the onSuccess handler.

Using Direct API Integration

If you are navigating to the hosted connect flow yourself, we will redirect back to your provided URL and add a texture_scoped_key query parameter to it, containing the scoped key for the newly connected user/account.

Using the Scoped Key

You can use this scoped key to make requests to the Texture API to retrieve data related to the newly connected account.

Authentication Format

Scoped keys use the same Texture-Api-Key header as regular API keys:

curl -H "Texture-Api-Key: scoped_example_key_000" \
  https://api.texturehq.com/v1/devices

Scoped keys are prefixed with scoped_, while traditional API keys are prefixed with api_.

Automatic Scoping

This scoped key will only be able to retrieve data related to the user who went through the Connect flow and connected their account. It will not be able to retrieve data for any other user.

When you make API requests with a scoped key:

  • Results are automatically filtered to only the user's devices (by referenceId)
  • Attempts to access other users' devices will return a 403 Forbidden error
  • Only device read operations and commands are allowed

Access & Capabilities

Scoped keys provide access to:

  • Device data - View device details, history, alerts, and tags
  • Commands - Send commands to devices (the only write operation supported)

Scoped keys cannot:

  • Create, update, or delete devices
  • Access sites, customers, programs, or other workspace resources
  • Access devices belonging to other users

Security Best Practices

Secure Storage

Treat scoped keys as sensitive credentials:

  • Store scoped keys encrypted in your database
  • Never commit keys to version control
  • Use platform-specific secure storage for mobile apps (iOS Keychain, Android Keystore)

Key Lifecycle

  • No external rotation: Scoped keys cannot currently be rotated or revoked through the API
  • Compromise response: If you suspect a key has been compromised, contact Texture support immediately
  • User association: Always associate scoped keys with the specific user account in your system

Support

For questions about scoped keys: