When a client app is added to the Developer Console, you need to specify OAuth scopes for the app. A scope means a set of permissions for the resources that the client app has access to, specifying available API operations. It also applies to the access permissions for the access token that is issued for the app.
At least one scope is required to make an API call. For more information, see the description of each API operation.
An OAuth scope name is formatted as {resource name}.operation, where a resource name can include child resources separated by dots (.) if needed. The following scope shows a resource named "group" that has a child resource named "folder".
A child resource inherits permissions from its parent resource.
An operation refers to the scope of permissions for the resource. For example, the user resource has the following two operations:
The user scope allows API operations which can read or read/write the user resource. The user.read scope, however, allows API operations which can only read the user resource, so you cannot make an API call to add a new user or delete an existing one. In this way, an OAuth scope specifies the scope of permissions for the resource that the client app accesses.
Note
- To send a message to members by using a message bot, you need to add the bot scope, not the user scope.
You can select one or more scopes for each client app in the Developer Console. The specified scopes are shown to users after they log in to the client app. Note that some scopes may not be shown depending on the pricing plan.
You can guess the OAuth scopes of an API operation, based on its method. Here are user scopes by method.
Since the user scope covers all the API operations allowed by the user.read scope, you do not need to add both scopes at the same time. However, using the user scope alone can produce unintended data changes, so if you need to simply view user information, using the user.read scope is recommended.
Note
- Guessing the OAuth scopes from a method is not always correct. See the description of each API operation for the exact OAuth scopes.
The following table shows the scopes and plans available in the Developer Console. Each scope specifies a client app's access permissions for the resource.
| Scope | Operation | Standard | Advanced |
|---|---|---|---|
| openid | Scope required for OpenID Connect (OIDC) authentication. It is required to get an ID token. | ○ | ○ |
| An ID token contains the member's email information. | ○ | ○ | |
| profile | An ID token contains the member's profile information. | ○ | ○ |
| audit.read | Read | ○ | ○ |
| monitoring.read | Read | ○ | ○ |
| board | Read/Write | ○ | ○ |
| board.read | Read | ○ | ○ |
| bot.message | Read | ○ | ○ |
| bot | Read/Write | ○ | ○ |
| bot.read | Read | ○ | ○ |
| calendar | Read/Write | ○ | ○ |
| calendar.read | Read | ○ | ○ |
| contact | Read/Write | ○ | ○ |
| contact.read | Read | ○ | ○ |
| file | Read/Write | ○ | ○ |
| file.read | Read | ○ | ○ |
| form | Read/Write | ○ | ○ |
| form.read | Read | ○ | ○ |
| group | Read/Write | ○ | ○ |
| group.read | Read | ○ | ○ |
| group.note | Read/Write | ○ | ○ |
| group.note.read | Read | ○ | ○ |
| group.folder | Read/Write | ○ | ○ |
| group.folder.read | Read | ○ | ○ |
| Read/Write | ○ | ||
| mail.read | Read | ○ | |
| orgunit | Read/Write | ○ | ○ |
| orgunit.read | Read | ○ | ○ |
| directory | Read/Write | ○ | ○ |
| directory.read | Read | ○ | ○ |
| security.external-browser | Read/Write | ○ | ○ |
| security.external-browser.read | Read | ○ | ○ |
| task | Read/Write | ○ | ○ |
| task.read | Read | ○ | ○ |
| user | Read/Write | ○ | ○ |
| user.read | Read | ○ | ○ |
| user.email.read | Read | ○ | ○ |
| user.profile.read | Read | ○ | ○ |
| Scope | Resource | Operation | Standard |
|---|---|---|---|
| openid | - | Scope required for OpenID Connect (OIDC) authentication. It is required to get an ID token. | ○ |
| - | An ID Token contains the member's email information. | ○ | |
| profile | - | An ID Token contains the member's profile information. | ○ |
| audit | Audit/Log | Read/Write | ○ |
| audit.read | Audit/Log | Read | ○ |
| group | Group | Read/Write | ○ |
| group.read | Group | Read | ○ |
| orgunit | Team | Read/Write | ○ |
| orgunit.read | Team | Read | ○ |
| directory | Team Member Job level Position User type Group | Read/Write | ○ |
| directory.read | Team Member Job level Position User type Group | Read | ○ |
| security.external-browser | External browser | Read/Write | ○ |
| security.external-browser.read | External browser | Read | ○ |
| user | Member | Read/Write | ○ |
| user.read | Member | Read | ○ |
| user.email.read | Member (email) | Read | ○ |
| user.profile.read | Member (profile) | Read | ○ |