OAuth Scopes


OAuth scopes allow you to specify the level of access your application needs to a user’s account. When initiating an authorization request, users will be prompted to consent to the requested scopes. By restricting your application’s scopes, you provide transparency to the user and protect their account from misuse.

Note: Scopes can only limit access for OAuth tokens; they cannot be used to grant any additional access to the user.

How it works

As an integration developer, you specify your desired scopes in the initial OAuth authorization request.

GET /oauth/authorize?scope=automations apps:read spaces:read identity.name:read

The requested scopes are presented to users for their approval. Any previously approved scopes are not presented again to the user but are still available for the application to use, but applications should always examine what scopes are available on tokens because users can remove previously approved scopes between authorizations.

The authorization server will attempt to grant all the scopes in the client’s allow list even when the scope param is empty, but only scopes in the allow list that are approved by the user will be granted. To request scopes for approval from the user, they must be explicitly included on the authorization request using the scope query param. The offline_access scope is an exception, it won’t be granted implicitly, and it must be requested to get a refresh token.

a screenshot of the consent dialog showing the requested scopes

Available scopes

Note: The user_default and admin_classic scopes should be used only where needed. These scopes are dynamic and may change over time. Good practice is to enforce least privilege principles and assign the specific scopes required for the OAuth client.

user_defaultFull access to your account and content (dynamic - use only where necessary, always enforce least privilege principles as good practice)
admin_classicFull administrator access to your tenant (dynamic - use only where necessary, always enforce least privilege principles as good practice)
admin.appsRead and manage all apps in the tenant
admin.apps:exportExport all apps in the tenant
admin.apps:readRead all apps in the tenant
admin.automationsRead and manage all automations in the tenant
admin.automations:readRead all automations in the tenant
admin.spacesRead and manage all spaces in the tenant
admin.spaces:readRead all spaces in the tenant
appsRead and manage your apps
apps:exportExport your apps
apps:readRead your apps
automationsRead and manage your automations
automations:readRead your automations
automl-experimentsRead and manage your ML experiments
automl-deploymentsRead and manage your ML deployments
identity.email:readRead your email address
identity.name:readRead your full name
identity.picture:readRead your profile picture
identity.subject:readRead your user subject identifier
spaces.dataRead and manage your data spaces
spaces.data:readRead your data spaces
spaces.managedRead and manage your managed spaces
spaces.managed:readRead your managed spaces
spaces.sharedRead and manage your shared spaces
spaces.shared:readRead your shared spaces
offline_accessAccess resources while you are offline
Was this page helpful?