Capabilities are UI/runtime flags for the embedded YoLead interface. The backend still validates access and state before allowing any action.
Capabilities control iframe UI features. They do not replace API key scope checks, employee access checks, chat access checks, or ticket state validation.
Supported capabilities:
| Capability | Effect | Scope |
|---|
showChatsList | Allows the iframe to show the chats list and open chat pages from that list. | read, read-write |
showChatPage | Allows the iframe to show a specific chat page. | read, read-write |
showSendInput | Allows message input to be shown. | read-write |
showStatusButton | Allows ticket status controls to be shown. | read-write |
showAssigneeButton | Allows assignee controls to be shown. | read-write |
Scope limits:
| API key scope | Allowed capabilities |
|---|
read | showChatsList, showChatPage |
read-write | All capabilities |
If showChatPage is requested without showChatsList, chatId is required.
If a read key requests write capabilities, YoLead silently removes those capabilities from the effective session. The response capabilities field shows what was actually granted. If no view capability remains after filtering, session creation fails.
View capabilities
At least one view capability must be enabled:
showChatsList
showChatPage
Without a view capability, the iframe has no screen to render and session creation fails.
Single-chat restriction
When showChatPage is used without showChatsList, the session must be tied to a specific chatId. In that case, the response includes allowedChatId, and the iframe token is scoped to that chat.