Permissions
Every API key, and every connected AI app, has a set of permissions that says exactly what it's allowed to do on your behalf. This is useful when you don't want a key to be able to do everything.
Available permissions
| Permission | What it lets the key do |
|---|---|
| Read papers | Search, look up paper details, follow citations, read full text. |
| Manage subscriptions | Add, remove, and pull from conference subscriptions. |
| Read research guidance | Search the curated library of research best-practices. |
| Read account details | Look up the account's plan and remaining allowance. |
| Manage API keys | Create and revoke API keys on the team's behalf. |
What a new key gets by default
A fresh API key gets read papers, manage subscriptions, read research guidance, and read account details. That's the standard "research assistant" set — enough to ask questions, manage what venues you follow, and check how many requests you have left today.
Manage API keys is left off by default. A key can't create more keys. If you want a "machine admin" key (for example, for an automated script that provisions other keys), you can opt into the manage-keys permission when minting the key.
Why permissions matter
Permissions are checked on every request. A key that can only read papers will be refused if it tries to manage subscriptions, even if the team owner has full access.
This is the rule that makes shipping a narrow key to an untrusted runtime safe — for example, embedding a Lune key in a public ChatGPT custom connector. The connector can search but can't subscribe, top up credits, or read other parts of your account.
Adjusting permissions for an existing key
You can't change the permissions on a key after it's created — mint a new key with the permissions you want and revoke the old one. This is intentional: if you ever needed to revisit a key's authority, the clean re-issue is the safer move.