Scope format
Scopes follow theresource:action pattern, where action is read or write. A write scope implies the matching read.
For the live list specific to your tenant (scopes are stored per tenant DB), call:
Default scope
If a client doesn’t request specific scopes, AGO grants every available read scope (e.g.knowledge:read, conversations:read, tickets:read, analytics:read, agents_config:read, accounts:read, custom_data_sources:read) — read-only access. MCP clients that need to write data request the matching write scope explicitly so the consent screen surfaces it to the user.
What Claude Web requests
Claude Web’s connector requests a broad scope set covering both read and write — currentlyknowledge:read, knowledge:write, conversations:read, tickets:read, agents_config:read, agents_config:write, analytics:read, and accounts:read.
Choosing scopes on the consent screen
The consent screen shows the full scope catalog as a checklist, with the scopes the client requested pre-selected. Before granting, you can uncheck any permission to grant less, or check others to grant more — the token carries exactly what you select, not what the client asked for. If you grant fewer scopes than the client requested, the client is told the reduced set in its token response. Calls that need a permission you didn’t grant return403. To change a connection’s scopes later, revoke its token (Admin → Settings → OAuth Connections) and reconnect from the client.
Granting is staff-only — the same privilege bar as creating an API key. The connection is owned by the staff member who approved it.
Adding a new scope
Scopes are managed by AGO support. Email support@useago.com with the resource you’d like the new scope to cover (read, write, or both) and the use case. Once added, the scope appears in/.well-known/oauth-authorization-server for your tenant immediately and becomes selectable on the consent screen.