Minimum oAuth Scopes

Hey Folks,

We currently use the default oAuth scopes as defined by your docs.

  • Read and list users and companies
  • Read conversations
  • Read admins
  • Gather App data

However the nature of our application is that we don’t need to read conversations, or even “list” users and companies, we just need access to the current person we’re talking with.

We’ve had customers ask why we’re asking for permission to list their users, and read conversations when we don’t need to.

It seems that these scopes are a hard-minimum at the moment, and that I’m not able to remove those which we don’t truly need.

Any plans for this to change?

1 Like

Hey @robertrawlins :wave:

These are only needed if you’re using our framework capabilities, as the requests we send to you contain context on the user, admin, and conversation (if/when there is one). Therefore, you do receive this data when using our framework capabilities, even if you’re not making calls for them through our REST API :+1:

Hope that makes sense!

1 Like

Hey Zach :wave:

What you’re saying makes sense,

One slightly grey area though is that only a single user is passed in the context, not a list, is that right? So perhaps the list permission is overkill?

Also, with conversations, our app only installs on the home screen at the moment, so no conversation is passed in the context… However, I think even if added to a conversation, only the ID is passed in the context, not the content of the conversation? So still feels like the conversation permissions should be optional?

This doesn’t cause me much concern personally, but we have heard from customers installing our app that it made them feel uneasy.

Yeah, super valid feedback here. Those two points are definitely something we could explore:

  • Changing this to the ‘single’ versions of the scopes
  • Making enforced permissions more granular based on the location of apps

Cheers for sharing :raised_hands:

cc/ @hellojeanpierre

1 Like

@zach yep, totally agree! :slightly_smiling_face: Thanks for taking the time to talk it through

1 Like