WARP guide
Team, Roles, API Keys, and Account Security
How to manage MFA, sessions, team members, custom roles, scopes, and customer API keys safely.
Security settings control who can access your customer account, what they can do, and how programmatic integrations authenticate. Use least privilege: give people and API keys only the scopes they need.
MFA and Sessions
Enable MFA for your own account to protect portal access. MFA enrollment, verification, backup-code regeneration, and authenticator revocation are self-service settings.
The Sessions page shows active sign-ins. If you see a device or location you do not recognize, revoke that session. For sensitive security actions, WARP may require step-up verification before making the change.
Team Members
The Team page lists users who have access to the active customer. Users are assigned roles, and roles determine scopes.
Use team:read to view team members. Use team:write to change a member's role or remove a member. Removing a member revokes their customer access, but it does not necessarily remove their access to other customers if they belong to more than one.
If someone leaves your organization, remove their access promptly and review any API keys they created or owned.
Roles and Scopes
Roles group scopes into reusable permission sets. A read scope lets a user inspect a resource. A write scope lets a user change it. Some workflows have action-specific scopes, such as submitting or activating a port request.
When creating or editing roles, keep them job-based:
- Billing users usually need billing and usage visibility.
- Developers may need trunks, numbers, messaging, CDRs, and API keys.
- Viewers should receive read-only scopes.
- Customer admins should have enough access to manage team membership, but avoid granting more than necessary.
Custom roles are useful when the built-in role is too broad or too narrow.
API Keys
API keys are customer-scoped credentials for integrations. They should be treated like passwords. The secret is shown only when created or rotated. Store it securely; WARP cannot show the same secret again.
Use api_keys:read to list keys, view prefixes, and inspect audit entries. Use api_keys:write to create, rotate, or revoke keys. Creating, rotating, and revoking keys require step-up verification.
When creating a key:
- Give it a clear name tied to the integration.
- Select only the required scopes.
- Add an IP allowlist when the integration has stable source IPs.
- Store the secret immediately.
- Rotate the key on a regular schedule or when the secret may have been exposed.
If a key may have leaked, revoke or rotate it immediately.
Scopes and API Reference
Security and self-service:
GET /v1/me/mfa/statusPOST /v1/me/mfa/enrollPOST /v1/me/mfa/verifyPOST /v1/me/mfa/backup-codes/regenerateDELETE /v1/me/mfa/authenticators/:idGET /v1/me/sessionsDELETE /v1/me/sessions/:id
Team and roles:
team:readforGET /v1/customers/:id/membersandGET /v1/customers/:id/roles.team:writefor member role changes, member removal, role creation, role updates, deletion, and duplication.
API keys:
api_keys:readfor listing keys and audit history.api_keys:writefor create, rotate, and revoke.GET /v1/customers/:id/api-keysPOST /v1/customers/:id/api-keysPOST /v1/customers/:id/api-keys/:keyId/rotateDELETE /v1/customers/:id/api-keys/:keyIdGET /v1/customers/:id/api-keys/:keyId/audit