OAuth2 Authorization
Scopes
Available OAuth2 permission scopes for Vacation Tracker.
Scopes define the level of access your application is requesting. Users see the requested scopes on the consent screen before granting permission.
Available scopes
| Scope | Used by | Description |
|---|---|---|
openid | Any | Verify your identity |
email | Any | View your email address |
profile | Any | View your profile information |
mcp:workspace:read | MCP | View your workspace's departments, locations, and leave types |
mcp:users:read | MCP | View your workspace's users, their departments and approvers |
mcp:leaves:read | MCP | View leave requests and approvals in your workspace |
zapier:webhooks | Zapier | Receive notifications about your leave requests |
Zapier currently authenticates with the legacy OAuth2 flow. A migration to the modern flow is planned.
Default scope
If no scope parameter is provided in the authorization request, the default scope is openid.
Scope validation
Each registered OAuth client has a list of allowed scopes. If your authorization request includes a scope that is not in your client's allowed list, the request will be rejected with an invalid_scope error:
{
"error": "invalid_scope",
"error_description": "Scope 'zapier:webhooks' is not allowed for this client"
}Requesting multiple scopes
Separate multiple scopes with a space in the scope parameter:
scope=openid email profileWhen URL-encoding:
scope=openid%20email%20profile