Hi everyone,
I’m working on an integration that only Access token(API Key) of a few users. I require read access to Asana data (e.g., tasks, projects, and workspaces). Currently, the default OAuth scope in Asana App(under Developer’s console) grants full access—including write capabilities—which isn’t necessary for read-only use cases and increases security risks if the token is ever compromised.
What I’m Proposing:
A dedicated read-only OAuth scope (for example, named “readonly”) that restricts access tokens solely to read operations. With this scope, integrations could be built to strictly fetch data without the ability to modify, create, or delete any items.
Benefits:
Enhanced Security: Limiting tokens to read-only minimizes risk, especially if tokens are leaked or misused.
Compliance: Helps organizations with strict security policies adhere to the principle of least privilege.
Increased Trust: Users may be more willing to authorize integrations knowing that write permissions are not being requested.
Developer Flexibility: Developers can choose to request only the necessary permissions for their app’s purpose.
I believe such a feature would be a win-win for both security-conscious users and developers building integrations that don’t require full access.
Has anyone else faced this issue or have thoughts on the potential implementation of a read-only scope? I’d love to hear feedback or any updates regarding this possibility.
Thanks in advance!
Siddarth Todi
1 Like
Hi @Siddarth_Todi,
Thank you for sharing this feedback, this is good timing. We’re currently working on this feature. Be on the lookout in our developer docs for documentation related to our scopes early release preview soon 
5 Likes
Hey @Siddarth_Todi, great news — we’ve just launched our scopes preview! You can check out the details here: [ New ] OAuth permission scopes
4 Likes
Hey @John_Vu
That’s awesome. Thanks a lot to you and your team for such a prompt response 
2 Likes
Hey @John_Vu
While working on the app implementation, after fetching access_token of users using the application(via code and refresh_token), when I’m using that same access token for accessing few GET API(View only), it’s restricting me for scope.
For example, while using API : https://app.asana.com/api/1.0/user_task_lists/{user_task_list_gid}
The error I’m encountering is:
errors: [
{
message: ‘One of the following scopes must be present to use this endpoint: default’,
help: ‘For more information on API status codes and how to handle them, read the docs on errors: Errors’
}
]
Request you team to kindly look into this.
Thanks in Advance
Hey @Siddarth_Todi,
Ah yes, the reason why you are seeing this error message One of the following scopes must be present to use this endpoint: default is because we have not implemented scopes for this endpoint yet.
This is probably confusing since there’s some endpoints with similar names:
Tasks:
User task lists:
The endpoint you mentioned is Get a user task = https://app.asana.com/api/1.0/user_task_lists/{user_task_list_gid}
Does not have scopes implemented for it yet. Hence, why it is asking for the default scope.
You can reference the list of endpoints with scopes here: OAuth scopes
Additionally, you can also tell if we’ve implemented scopes for an endpoint if you see Required scope: in the description of the endpoint. EX:
If an endpoint you are using doesn’t have scopes implemented yet you’ll need to setup your app to use the default scope which is essentially full permissions
