OAuth
OAuth scopes.
Scopes explain what a connected agent can access. They should be minimal, understandable, and tied to the tools the user is trying to run.
Ask for the minimum.
Reviewers compare requested scopes against tool behavior. A read-only search agent should not request write access, and a write tool should clearly explain its side effects.
- Group scopes by user capability, not provider-internal endpoint names.
- Show scope copy in the chat connect card before OAuth starts.
- Request re-consent when a new version expands access.
- If a tool creates bookings, orders, reservations, expenses, or admin changes, pair the scope with a structured confirmation policy.
Good scope copy.
The user should understand the tradeoff before authorizing the provider.
| Avoid | Use |
|---|---|
| expenses.write | Create expenses only after you confirm them. |
| groups.read | View your groups, members, and balances. |
| booking:all | Create and cancel reservations you ask Orchet to manage. |