Core Concepts
Organizations, projects, tokens, and the resource model
Organizations
An organization is the top-level container for all your resources. Every account starts with a default org.
- Organizations have members with role-based access (owner, admin, developer, viewer, billing)
- Billing is scoped to the organization
- API keys belong to the organization; they may optionally be scoped to a single project
Projects
Projects live inside organizations. They isolate resources:
- Each project gets its own databases, functions, storage buckets, and services
- API keys can be scoped to a project, or stay org-wide and target a project per-request
- Cross-project access requires explicit permission
Organization
├── Project: production
│ ├── Database: main-db
│ ├── Function: api-handler
│ └── Storage: assets-bucket
└── Project: staging
├── Database: staging-db
└── Function: api-handler-stagingAPI Keys and Scopes
API keys authenticate requests and carry scope restrictions. Create scoped keys
from the dashboard (Organization → API Keys), selecting only the scopes the key
needs — e.g. compute:deploy, functions:deploy, storage:write.
Scopes follow a service:action pattern. Key scope groups:
database:query,database:branch,database:admin— database accesscompute:deploy,compute:scale,compute:logs— container managementfunctions:deploy,functions:invoke,functions:logs— serverlessstorage:read,storage:write,storage:delete— object storageai:infer,ai:models— inferencekv:read,kv:write— key-value storeevents:publish,events:subscribe— event buscron:read,cron:write— scheduled jobssandbox:create,sandbox:read,sandbox:execute— sandboxes
Tenant Isolation
API keys belong to the organization. A key scoped to a single project carries its project context automatically; an org-wide key targets a project per-request via the X-Scalix-Project header. Either way, the gateway enforces that a token can only access resources within its organization — and, for project-scoped keys, within that project.
Regions
Scalix Cloud currently runs in a single EU region. Resources are created there and data stays within the region. Multi-region deployment is planned.