> ## Documentation Index > Fetch the complete documentation index at: https://docs.machines.cash/llms.txt > Use this file to discover all available pages before exploring further. # Update key scopes or policy > Update key scopes or policy When to use this: Adjust key permissions or policy constraints on an existing key. Required scope: keys.write. ## OpenAPI ````yaml consumer-openapi.yaml patch /user/v1/keys/{keyId} openapi: 3.1.0 info: title: Machines Cash User API version: 1.0.0 description: >- User API surface for user-key and agent integrations. Canonical endpoints are under /user/v1 and /identity/user-api-keys. Legacy /consumer/v1 and /identity/consumer-api-keys remain supported for backward compatibility. This reference is separate from partner endpoints. servers: - url: https://api.machines.cash description: production security: - UserSessionBearer: [] tags: - name: auth description: Bootstrap user access. - name: keys description: User API key lifecycle. - name: sessions description: Short-lived scoped session minting. - name: webHelper description: Web-session helper endpoints. - name: crypto description: User encryption/decryption helpers. - name: users description: User profile endpoints. - name: kyc description: Identity verification endpoints. - name: agreements description: Agreement read/accept endpoints. - name: onboarding description: Onboarding progress endpoints. - name: cards description: Card management endpoints. - name: folders description: Card folder management endpoints. - name: balances description: Balance read endpoints. - name: contracts description: Collateral contract endpoints. - name: tokens description: Token metadata endpoints. - name: withdrawals description: Withdrawal endpoints. - name: transactions description: Transaction history endpoints. - name: deposits description: Deposit endpoints. - name: identity description: Identity aliases/wallet/deposit preference endpoints. - name: notifications description: Notification preference/device endpoints. - name: payments description: Payment support endpoints. - name: subscriptions description: Subscription and add-on endpoints. - name: referrals description: Referral endpoints. - name: bills description: Bill tracking endpoints. - name: support description: Support context endpoints. - name: spotlight description: Spotlight search endpoints. paths: /user/v1/keys/{keyId}: patch: tags: - keys summary: Update key scopes or policy description: >- Update key scopes or policy When to use this: Adjust key permissions or policy constraints on an existing key. Required scope: keys.write. operationId: patch_user_v1_keys_keyId parameters: - name: keyId in: path required: true description: User key id to update. schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateKeyRequest' example: scopes: - cards.read revoke: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/KeyMetadataResponse' example: ok: true data: {} summary: success '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' components: schemas: UpdateKeyRequest: type: object properties: scopes: type: array items: $ref: '#/components/schemas/UserScope' policy: $ref: '#/components/schemas/UserPolicy' revoke: type: boolean additionalProperties: false KeyMetadataResponse: type: object properties: id: type: string keyPrefix: type: string scopes: type: array items: type: string policy: $ref: '#/components/schemas/UserPolicy' createdAt: type: string format: date-time revokedAt: type: string format: date-time nullable: true additionalProperties: true UserScope: type: string enum: - users.read - users.write - kyc.read - kyc.write - agreements.read - agreements.write - onboarding.read - onboarding.write - cards.read - cards.write - cards.secrets.read - folders.read - folders.write - balances.read - contracts.read - contracts.write - deposits.read - deposits.write - withdrawals.write - transactions.read - tokens.read - encryption.read - encryption.write - identity.read - identity.write - payments.read - payments.write - subscriptions.read - subscriptions.write - notifications.read - notifications.write - referrals.read - referrals.write - bills.read - bills.write - support.read - spotlight.read - keys.read - keys.write - sessions.write UserPolicy: type: object properties: maxAuthAmountCents: type: integer minimum: 0 dailySpendCapCents: type: integer minimum: 0 dailyWithdrawalCapCents: type: integer minimum: 0 allowCardSecrets: type: boolean allowedOperationPrefixes: type: array items: type: string additionalProperties: false StandardError: type: object properties: error: type: string message: type: string required: - error - message additionalProperties: true responses: BadRequest: description: Invalid request payload or parameters. content: application/json: schema: $ref: '#/components/schemas/StandardError' Unauthorized: description: Missing/invalid bearer or key credentials. content: application/json: schema: $ref: '#/components/schemas/StandardError' Forbidden: description: Valid auth but missing required scope or blocked by policy. content: application/json: schema: $ref: '#/components/schemas/StandardError' NotFound: description: Resource not found for current user/session. content: application/json: schema: $ref: '#/components/schemas/StandardError' TooManyRequests: description: Rate limit triggered for current key/session. content: application/json: schema: $ref: '#/components/schemas/StandardError' securitySchemes: UserSessionBearer: type: http scheme: bearer bearerFormat: JWT description: >- Bearer session token for User API operations. Legacy UserSessionBearer naming remains supported. ````