Skip to main content

OAuth Scope Cheatsheet — 60+ Scopes for Google, GitHub, Microsoft, Slack and More

OAuth 2.0 scope reference — 60+ scopes across Google, GitHub, Microsoft, Slack, Spotify, Discord and more, with access level, use cases and risk rating.

  • Runs locally
  • Category Developer & DevOps
  • Best for Formatting, validating, shrinking, or inspecting code-adjacent text.
Risk:
69 scopes

Google

14 scopes
openid
Low
Access

Authenticate the user via OpenID Connect and receive an ID token with sub (user ID) and standard OIDC claims.

Use cases
  • Sign-in with Google — all you need for basic auth.
  • Federated identity: use Google as your IdP without storing passwords.
  • Single sign-on (SSO) to your own app.
Note

Always request openid alongside profile or email; alone it only returns sub.

profile
Low
Access

Read the user's basic profile: name, photo URL, locale, and Google account ID. Does NOT include the email address.

Use cases
  • Display user name and avatar after sign-in.
  • Personalise the UI with the user's locale preference.
  • Identify returning users by their Google account ID.
email
Low
Access

Read the user's Google account email address and whether it is verified.

Use cases
  • Use as a unique identifier for the user account in your database.
  • Send transactional emails via your own SMTP (not on Google's behalf).
  • Pre-fill email fields in sign-up flows.
https://www.googleapis.com/auth/gmail.readonly
MediumRequires approval
Access

Read all Gmail messages, threads, labels, and settings. Cannot send, modify, or delete anything.

Use cases
  • Email analytics: count replies, measure response time.
  • Parse order confirmation emails to show a purchase history.
  • Inbox zero tools that surface unread or starred messages.
Note

Triggers Google restricted scope review. Publish a privacy policy and pass security assessment before going live.

https://www.googleapis.com/auth/gmail.send
MediumRequires approval
Access

Send email on behalf of the user. Cannot read, modify, or delete any messages.

Use cases
  • Send automated replies or acknowledgement emails from the user's address.
  • Email-to-task tools that send a confirmation after creating a task.
  • CRM sending follow-up emails through the user's own Gmail.
Note

Triggers Google sensitive scope review. Prefer this over gmail when you only need to send.

https://www.googleapis.com/auth/gmail.modify
HighRequires approval
Access

Read, compose, send emails, and modify messages (apply labels, mark as read, archive, move to trash). Cannot permanently delete.

Use cases
  • Email workflow tools that triage inbox by labelling and archiving.
  • Newsletter unsubscribe tools that move promo emails to a specific folder.
Note

Restricted scope — requires Google security assessment and a thorough privacy policy.

https://www.googleapis.com/auth/gmail.labels
Low
Access

Create, read, update, and delete Gmail labels. Does not read message content.

Use cases
  • Organiser apps that set up a folder structure on first run.
  • Sync labels from your tool's own tagging system into Gmail.
https://www.googleapis.com/auth/calendar.readonly
MediumRequires approval
Access

View all Google Calendar event details, attendees, and free/busy information.

Use cases
  • Scheduling assistants that show existing events when suggesting a meeting time.
  • Time tracking apps that pull in calendar events as logged work sessions.
  • Dashboard widgets displaying today's schedule.
Note

Sensitive scope — triggers review. Use the free/busy API with calendar.freebusy if you only need availability.

https://www.googleapis.com/auth/calendar
HighRequires approval
Access

Full access to Google Calendar: create, read, update, and delete all events and calendars.

Use cases
  • Two-way sync between your app's task list and Google Calendar.
  • Meeting scheduling tools that create calendar blocks.
Note

Restricted scope. Use calendar.events if you only manage events (not calendar metadata).

https://www.googleapis.com/auth/drive.file
Low
Access

Access only files created by your app or files the user explicitly opens with your app via the Drive file picker. Cannot browse all Drive files.

Use cases
  • Document editors that save and open their own files in Drive.
  • Backup apps that create a folder and upload files into it.
  • Apps that let users pick an existing file with the Drive file picker.
Note

Prefer this over drive or drive.readonly for most apps — it requires no special review and limits blast radius.

https://www.googleapis.com/auth/drive.readonly
MediumRequires approval
Access

View and download all files in the user's Google Drive. Cannot create, modify, or delete.

Use cases
  • AI assistants that read the user's documents for context.
  • File migration tools that enumerate and download Drive content.
Note

Sensitive scope — triggers review. Use drive.file if you only need files your app created.

https://www.googleapis.com/auth/drive
HighRequires approval
Access

Full access to all files in Google Drive including create, modify, delete, and manage permissions.

Use cases
  • Full Drive management dashboards that can organise, rename, move, and delete.
  • Team tools that share and restructure entire Drive hierarchies.
Note

Restricted scope requiring Google security assessment and sometimes a third-party audit. Justify why drive.file or drive.readonly cannot meet your needs.

https://www.googleapis.com/auth/spreadsheets.readonly
MediumRequires approval
Access

Read all spreadsheet data, formulas, formatting, and named ranges.

Use cases
  • BI tools that pull data from Google Sheets as a data source.
  • No-code app builders that use Sheets as a backend database.
Note

Sensitive scope. The Sheets API also has per-spreadsheet access via the Drive file picker if full read access is too broad.

https://www.googleapis.com/auth/spreadsheets
HighRequires approval
Access

Full access to all spreadsheets: read, write, create, and delete.

Use cases
  • Reporting tools that write results back into a tracking spreadsheet.
  • CRMs that sync contact data bidirectionally with a Sheets database.
Note

Sensitive scope triggering review. Prefer spreadsheets.readonly if you only read data.

GitHub

14 scopes
read:user
Low
Access

Read the authenticated user's profile data: name, bio, avatar, location, company, follower count.

Use cases
  • Show user avatar and name after GitHub sign-in.
  • Pre-fill profile fields in your app from their GitHub profile.
user:email
Low
Access

Read the user's email addresses (including private ones) and which is the primary.

Use cases
  • Use a verified GitHub email as the account identifier in your database.
  • Link a GitHub account to an existing account by email match.
Note

Users can hide their email on GitHub but it is still returned here. Treat it as PII.

user
Medium
Access

Full read/write access to profile data including email, followers, following, and starred repos.

Use cases
  • Apps that update the GitHub profile bio or avatar on the user's behalf.
Note

Usually read:user + user:email covers what you need without write access.

public_repo
Low
Access

Read and write access to public repositories only. Includes code, issues, pull requests, and commit statuses.

Use cases
  • Open-source tools that comment on public issues or PRs.
  • Portfolio apps that list and display public repositories.
  • CI integrations setting commit statuses on public repos.
repo
High
Access

Full read/write access to all repositories including private ones: code, issues, PRs, wikis, deployments, and settings.

Use cases
  • Development tools like IDEs and code review apps that need private repo access.
  • Deployment pipelines that push code and update deployment statuses.
  • Full-featured GitHub clients or mirrors.
Note

This is the broadest GitHub scope. Users sometimes see it as a red flag. Use repo:status or public_repo if you can. For GitHub Apps, use fine-grained permissions instead.

repo:status
Low
Access

Read and write commit status for public and private repositories. The minimum needed for CI/CD systems.

Use cases
  • CI/CD pipelines updating ✅/❌ commit status after a build.
  • Code quality bots marking commits as passing or failing.
workflow
High
Access

Add and update GitHub Actions workflow files (.github/workflows/*.yml).

Use cases
  • Tools that scaffold CI pipelines for new projects.
  • Automation platforms that modify workflow configuration.
Note

Allows code execution on GitHub infrastructure. Requires careful review — only grant to apps you fully trust.

notifications
Low
Access

Read and mark notifications; mark threads as read or unsubscribe.

Use cases
  • GitHub notification dashboards and triage tools.
  • Mobile apps surfacing unread review requests.
gist
Low
Access

Create and edit gists on behalf of the user.

Use cases
  • Code snippet sharing tools that save directly to GitHub Gist.
  • Pastebin-alternative apps backed by Gist.
delete_repo
High
Access

Delete repositories the user has admin access to.

Use cases
  • Cleanup scripts that archive and delete deprecated repos.
Note

Irreversible. Request only if your core feature genuinely requires deletion. Never include this as a default scope.

read:org
Low
Access

Read org and team membership, and organisation project board info.

Use cases
  • Tools that check if a user belongs to a GitHub organisation for access control.
  • Team dashboards showing org membership.
admin:org
High
Access

Full control of organisations and teams: create, update, delete members and teams, and manage org settings.

Use cases
  • HR tools that sync employee directory to GitHub org membership.
  • Onboarding automation that adds new hires to the right teams.
Note

Only available to org owners. Grants the ability to add/remove all members.

read:packages
Low
Access

Download packages from GitHub Package Registry.

Use cases
  • CI pipelines installing private npm or Docker packages from GPR.
write:packages
Medium
Access

Upload packages to GitHub Package Registry.

Use cases
  • CI pipelines publishing npm, Docker, or Maven packages to GPR on release.

Microsoft

10 scopes
openid
Low
Access

Issue an ID token for OpenID Connect sign-in. Returns oid (user object ID) and other OIDC claims.

Use cases
  • Microsoft/Azure AD sign-in for web or mobile apps.
  • SSO using Azure AD as the identity provider.
User.Read
Low
Access

Sign in and read the logged-in user's profile: display name, job title, email, photo.

Use cases
  • Show user name and avatar post sign-in.
  • Populate employee directory entries with Graph data.
offline_access
Low
Access

Receive a refresh token so the app can maintain access when the user is not present.

Use cases
  • Background sync that runs overnight without user interaction.
  • Any app needing long-lived access beyond the 1-hour access token lifetime.
Note

Required whenever you need a refresh token. Pair with your other scopes.

Mail.Read
Medium
Access

Read all mail in the user's mailbox, including attachments and metadata.

Use cases
  • Email analytics and reporting dashboards.
  • Document management tools that index email attachments.
Note

Delegated: acts on behalf of the signed-in user. Application permission variant (Mail.Read without user) requires admin consent.

Mail.Send
Medium
Access

Send mail as or on behalf of the signed-in user.

Use cases
  • Apps that send automated follow-ups from the user's Outlook address.
  • CRMs sending sales emails through the rep's own mailbox.
Calendars.Read
Medium
Access

Read the user's calendar events and meeting details.

Use cases
  • Scheduling tools that avoid double-booking by reading existing events.
  • Time-tracking tools that log meeting time automatically.
Calendars.ReadWrite
High
Access

Create, read, update, and delete calendar events.

Use cases
  • Meeting scheduling apps that write calendar blocks.
  • Two-way sync between your app and Outlook calendar.
Files.Read.All
Medium
Access

Read all files the signed-in user can access in OneDrive and SharePoint.

Use cases
  • Search and discovery tools indexing OneDrive content.
  • Document AI tools reading all files for analysis.
Files.ReadWrite.All
High
Access

Full access to all files the user can access: read, write, create, delete.

Use cases
  • File management dashboards managing OneDrive/SharePoint content.
Note

Prefer Files.ReadWrite for app-managed files only, or use the Files.ReadWrite.AppFolder scope for a sandboxed app folder.

Directory.Read.All
HighRequires approval
Access

Read all directory data in the Azure AD tenant: users, groups, devices, applications.

Use cases
  • IT admin tools listing all users and group memberships.
  • Security tools auditing AAD configuration.
Note

Requires admin consent for the tenant — individual users cannot grant this. Not suitable for consumer apps.

Slack

7 scopes
channels:read
Low
Access

View basic information about public channels in the workspace.

Use cases
  • Bots listing available channels to let users choose where to post.
  • Dashboards displaying workspace channel structure.
chat:write
Low
Access

Send messages as the app (not as a user). The standard scope for posting bot messages.

Use cases
  • Notification bots that alert a channel on deploy, alert, or event.
  • Standup bots asking daily questions in a channel.
  • Integrations posting summaries or reports into Slack.
channels:write
Medium
Access

Create, archive, and rename public channels, and manage channel memberships.

Use cases
  • Project management tools that create a Slack channel per project.
files:read
Low
Access

View files shared in channels and conversations the app has access to.

Use cases
  • Document search tools indexing files shared in Slack.
users:read
Low
Access

View basic information about workspace members: display name, timezone, status. No email.

Use cases
  • Apps that tag or mention workspace members by name.
  • Scheduling tools that check member timezones.
users:read.email
Medium
Access

View email addresses for workspace members. Requires users:read as a prerequisite.

Use cases
  • CRMs matching Slack users to contact records by email.
  • SSO tools linking Slack accounts to your internal directory.
Note

User email addresses are PII. Slack workspace admins may restrict this scope.

team:read
Low
Access

View the workspace name, icon, domain, and email domain.

Use cases
  • Multi-workspace apps that show the workspace branding in the UI.

Spotify

7 scopes
user-read-email
Low
Access

Read the user's email address registered on their Spotify account.

Use cases
  • Use as account identifier or for sending transactional emails.
user-read-private
Low
Access

Read the user's subscription level (Free, Premium), country, and product type.

Use cases
  • Feature gates that unlock premium content only for Spotify Premium users.
playlist-read-private
Low
Access

Read private and collaborative playlists the user has created or subscribed to.

Use cases
  • Music apps displaying all user playlists including private ones.
playlist-modify-public
Medium
Access

Create and edit public playlists on behalf of the user.

Use cases
  • Collaborative playlist tools that add tracks based on recommendations.
  • Concert setlist apps that create a playlist from the show.
playlist-modify-private
Medium
Access

Create and edit private playlists.

Use cases
  • Mood or activity playlist generators saved privately.
user-library-read
Low
Access

Read the user's saved songs and albums (Your Library).

Use cases
  • Music stats apps showing the user's listening library.
user-top-read
Low
Access

Read the user's top artists and tracks over different time ranges.

Use cases
  • Music personality and taste analysis apps.
  • Year-in-review tools (your own Spotify Wrapped).

Twitter / X

7 scopes
tweet.read
Low
Access

Read tweets, timelines, and public conversation data for the authenticated user and other users.

Use cases
  • Social media dashboards pulling in mentions and replies.
  • Sentiment analysis tools consuming public tweet streams.
tweet.write
Medium
Access

Create, delete, and hide tweets and replies on behalf of the user.

Use cases
  • Social media scheduling tools posting tweets on a schedule.
  • Thread management tools that delete and re-post cleaned-up threads.
users.read
Low
Access

Read public user profile information: name, bio, follower/following counts.

Use cases
  • Profile enrichment — pulling social context into a CRM.
follows.read
Low
Access

Read the user's follower and following lists.

Use cases
  • Audience analysis showing who follows you and who you follow.
offline.access
Low
Access

Get a refresh token to maintain access without requiring the user to re-authorize.

Use cases
  • Scheduled posting tools that need to act while the user is offline.
like.read
Low
Access

Read the tweets the user has liked.

Use cases
  • Read-it-later tools that bookmark liked tweets.
like.write
Medium
Access

Like and unlike tweets on behalf of the user.

Use cases
  • Engagement automation tools (use ethically and within Twitter API rules).

Discord

5 scopes
identify
Low
Access

Read the user's Discord username, discriminator, avatar, and user ID. Does NOT include email.

Use cases
  • Discord sign-in — show username and avatar after auth.
  • Link a Discord account to your platform without storing passwords.
email
Low
Access

Read the email address associated with the user's Discord account.

Use cases
  • Use as account identifier or to match with an existing account in your database.
guilds
Low
Access

List the guilds (servers) the user is a member of, along with their roles.

Use cases
  • Gating features by server membership — "must be in XYZ server to access".
  • Dashboard showing which communities the user belongs to.
guilds.join
High
Access

Add the user to a guild (server) without requiring them to click an invite link.

Use cases
  • Onboarding flows that automatically add new customers to a support server.
Note

Requires a bot token in the same request. User is added silently — use with a clear UI disclosure.

bot
Medium
Access

Add a bot to a guild with the permissions specified in the OAuth URL.

Use cases
  • Slash command bots that users install directly into their servers.
  • Moderation bots authorized via OAuth guild install.
Note

Permissions for the bot are separate from this scope — specify them with the permissions bitmask in the OAuth URL.

LinkedIn

3 scopes
r_liteprofile
Low
Access

Read the member's name, headline, profile photo, and vanity URL.

Use cases
  • LinkedIn sign-in — populate user name and avatar.
  • Import profile data to create an account without a registration form.
r_emailaddress
Low
Access

Read the member's primary email address registered on LinkedIn.

Use cases
  • Use email as unique identifier for account linking.
w_member_social
Medium
Access

Create, edit, and delete posts, comments, and likes on LinkedIn on behalf of the member.

Use cases
  • Social media schedulers that post content to LinkedIn on a schedule.
  • Content amplification tools that auto-comment on company posts.

Stripe

2 scopes
read_only
Low
Access

Read-only access to the connected Stripe account: view charges, customers, products, and payouts.

Use cases
  • Financial dashboards that display revenue and payout data.
  • Analytics tools auditing subscription metrics across connected accounts.
Note

Stripe Connect: the user connects their own Stripe account, not yours. Use read_only unless your feature actively needs to create or modify data.

read_write
HighRequires approval
Access

Full read and write access to the connected Stripe account: create charges, issue refunds, manage subscriptions.

Use cases
  • Payment platforms that create charges on behalf of connected merchants.
  • Billing tools that manage subscriptions and issue refunds.
Note

Grants full control over the user's Stripe account including issuing refunds and modifying payout settings. Justify in your Stripe app review.

What this tool does

Searchable OAuth 2.0 scope reference covering 60+ scopes across Google (Gmail, Drive, Calendar, Sheets), GitHub, Microsoft Graph API, Slack, Spotify, Twitter/X, Discord, LinkedIn and Stripe. Every entry shows the exact scope string you copy into your app config, what access it grants in plain English, 2–3 real use cases, a risk rating (low / medium / high), and notes on approval requirements and security gotchas. Filter by provider or risk level, search across scope strings and descriptions, copy any scope with one click. Designed for developers integrating OAuth — helps you pick the narrowest scope that does the job and avoid requesting overly broad permissions that delay app approval or spook users. Fully client-side, zero telemetry.

Tool details

Input
Text
The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output
Live result + Copy
The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy
Browser-side processing
The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share
No account required
Open the page and use it; whether results survive refresh depends on the tool.
Performance budget
Initial JS <= 65 KB
No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit
Developer & DevOps · Developer
Category and role tags drive related tools, internal links, and quick fit checks.

How to use

  1. 1. Input

    Paste or drop your content into the tool panel.

  2. 2. Process

    Click the button. All processing is local in your browser.

  3. 3. Copy / Download

    Copy the result or download to disk in one click.

How OAuth Scope Cheatsheet fits into your work

Use it in the small gaps between coding, reviewing, debugging, and shipping.

Developer jobs

  • Formatting, validating, shrinking, or inspecting code-adjacent text.
  • Preparing snippets for documentation, tickets, commits, or handoff.
  • Checking a small payload quickly without switching tools.

Developer checks

  • Run irreversible transforms like minify or obfuscate on a copy.
  • Keep secrets out of pasted snippets unless the tool explicitly stays local.
  • Use your normal tests or linter before shipping transformed code.

Good next steps

These links move the current task into a more complete workflow.

  1. 1 JWT Decoder Decode JWT header / payload / signature — verify structure, check exp, copy claims — browser-only Open
  2. 2 HTTP Status Code Explorer HTTP status code explorer — all 70+ codes with meaning, common causes, real examples, and what to check. Open
  3. 3 DNS Record Explainer DNS record explainer — all 18 common record types (A, AAAA, CNAME, MX, TXT, SRV, etc.) with syntax, examples, and gotchas. Open

Real-world use cases

  • Integrating Google Sign-In and Drive API for a document management app

    You are building a tool that lets users import their Google Drive docs. You check this cheatsheet and see that drive.file only gives access to files your app created or opened, while drive gives full Drive access. You choose drive.file for the narrower footprint, pair it with drive.readonly for the browsing step, and avoid the manual review that drive triggers. The consent screen shows a focused permission, and your app sails through Google's verification in two weeks instead of two months.

  • Setting up a GitHub bot that comments on pull requests

    Your CI bot needs to post review comments. You pull up the cheatsheet and find repo is marked high-risk (full private repo control) while repo:status and public_repo cover open-source commenting. You end up using a GitHub App with pull_requests:write permission instead of an OAuth scope, but the cheatsheet comparison helps you make that call with a clear understanding of the tradeoffs.

Common pitfalls

  • Requesting the gmail scope (full access including delete) when you only need gmail.send. The send-only scope avoids Google's manual review for sensitive scopes and gives users a much narrower consent prompt.

  • Requesting repo on GitHub for a read-only integration. Use public_repo for public repos or the repo:status / read-only equivalent — repo grants write and delete access to all private repos.

  • Joining multiple scopes with commas in the scope= query parameter. The OAuth 2.0 spec requires space-separated values. Commas silently fail or get treated as a single malformed scope string by many providers.

Privacy

All data is bundled with the page. Searching, filtering, and copying scopes never sends any request to a server. No API calls, no telemetry, no logging. Scope strings and descriptions are static reference data.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Made by Toolora · 100% client-side · Updated 2026-07-01