OAuth Scopes Reference
Reference of available OAuth scopes organized by provider and permission level.
Services can request additional OAuth scopes beyond the defaults. These scopes determine what data your application can access from the OAuth provider.
Configuring Scopes
Configure scopes when creating or updating a service using the provider-specific fields:
{
"slug": "my-app",
"name": "My Application",
"github_scopes": ["user:email", "read:org"],
"google_scopes": ["email", "profile", "calendar.readonly"],
"microsoft_scopes": ["User.Read", "Calendars.Read"]
}
GitHub Scopes
Default Scopes
| Scope |
Description |
Granted by Default |
user:email |
Read user email addresses |
Yes |
Additional Scopes
| Scope |
Description |
Use Case |
read:user |
Read user profile data |
Display profile info |
user |
Read/write user profile |
Profile management |
read:org |
Read organization membership |
Team features |
repo |
Full repository access |
CI/CD integrations |
public_repo |
Public repository access |
Open source tools |
admin:org |
Full organization management |
Enterprise admin |
notifications |
Access notifications |
Notification sync |
Google Scopes
Default Scopes
| Scope |
Description |
Granted by Default |
email |
Read user email |
Yes |
profile |
Read basic profile |
Yes |
openid |
OpenID Connect |
Yes |
Additional Scopes
| Scope |
Description |
Use Case |
https://www.googleapis.com/auth/calendar.readonly |
Read calendar events |
Calendar integration |
https://www.googleapis.com/auth/calendar |
Full calendar access |
Calendar management |
https://www.googleapis.com/auth/drive.readonly |
Read Drive files |
File browsing |
https://www.googleapis.com/auth/gmail.readonly |
Read Gmail messages |
Email processing |
Microsoft Scopes
Default Scopes
| Scope |
Description |
Granted by Default |
User.Read |
Read user profile |
Yes |
email |
Read user email |
Yes |
openid |
OpenID Connect |
Yes |
offline_access |
Refresh tokens |
Yes |
Additional Scopes
| Scope |
Description |
Use Case |
Calendars.Read |
Read calendar events |
Calendar integration |
Mail.Read |
Read email messages |
Email processing |
Files.Read |
Read OneDrive files |
File browsing |
API Key Permissions
API keys use a separate permission system from OAuth scopes.
Available Permissions
| Permission |
Description |
read:users |
List and retrieve user data |
write:users |
Create and update user data |
delete:users |
Delete user data |
read:subscriptions |
Read subscription details |
write:subscriptions |
Create or update subscriptions |
delete:subscriptions |
Cancel subscriptions |
read:analytics |
Access service usage analytics |
read:service |
View service configuration |
write:service |
Update service configuration |
Example API Key Creation
{
"name": "Backend Integration Key",
"permissions": ["read:users", "read:subscriptions"]
}
Requesting Provider Tokens
Once a user authenticates with extended scopes, your backend can retrieve the provider access token to call the provider’s API directly:
GET /api/provider-token/github
Authorization: Bearer {jwt}
Response:
{
"access_token": "gho_16C7e42F292c6912E7710c838347Ae178B4a",
"scopes": ["user:email", "read:org"],
"provider": "github",
"expires_at": "2025-01-20T10:30:00Z"
}