Access mode for API keys — read-only and scoped employee access

Bitrix24 VibeCode API keys now have an access mode. Each key can now run in read-only mode: the platform blocks any write request on its side before it ever reaches Bitrix24. This is handy for AI agents with minimal permissions, external integrators, and cases where an employee needs access to data but not the ability to change it.

Two modes. READWRITE — full access, just like before: the key both reads and writes. READONLY — reads go through fine, while any write attempt returns a clear 403 error indicating exactly which Bitrix24 call was blocked. An "Access mode" toggle has appeared in the key creation and editing card, and the current mode is now visible in the /v1/me response — an app or AI agent immediately knows what permissions it has and does not waste requests.

For the portal admin. The keys page has a "Portal policy" card: turn on read-only and every new key on the portal is issued in that mode right away. Even under such a policy, the admin can grant an exception to an individual employee by switching their key. The key owner gets a notification from the Companion bot — who changed the mode and when. Every change is written to the audit log: who switched it (owner or admin) and which key was affected.

Why it matters. A read-only key is safer by nature. An AI agent on Claude or GPT connected via MCP physically cannot corrupt data when the model hallucinates — writes simply will not go through. If such a key leaks, in the wrong hands it can only read. Existing keys were left untouched — they all stayed in read-write mode, and the behavior of current integrations did not change.

Keys and authorization documentation: https://vibecode.bitrix24.com/docs/keys-auth