I’m working on an integration that only Access token(API Key) of a few users. I require read access to Asana data (e.g., tasks, projects, and workspaces). Currently, the default OAuth scope in Asana App(under Developer’s console) grants full access—including write capabilities—which isn’t necessary for read-only use cases and increases security risks if the token is ever compromised.
What I’m Proposing:
A dedicated read-only OAuth scope (for example, named “readonly”) that restricts access tokens solely to read operations. With this scope, integrations could be built to strictly fetch data without the ability to modify, create, or delete any items.
Benefits:
Enhanced Security: Limiting tokens to read-only minimizes risk, especially if tokens are leaked or misused.
Compliance: Helps organizations with strict security policies adhere to the principle of least privilege.
Increased Trust: Users may be more willing to authorize integrations knowing that write permissions are not being requested.
Developer Flexibility: Developers can choose to request only the necessary permissions for their app’s purpose.
I believe such a feature would be a win-win for both security-conscious users and developers building integrations that don’t require full access.
Has anyone else faced this issue or have thoughts on the potential implementation of a read-only scope? I’d love to hear feedback or any updates regarding this possibility.
Thank you for sharing this feedback, this is good timing. We’re currently working on this feature. Be on the lookout in our developer docs for documentation related to our scopes early release preview soon
Hey @John_Vu
While working on the app implementation, after fetching access_token of users using the application(via code and refresh_token), when I’m using that same access token for accessing few GET API(View only), it’s restricting me for scope.
For example, while using API : https://app.asana.com/api/1.0/user_task_lists/{user_task_list_gid}
The error I’m encountering is:
errors: [
{
message: ‘One of the following scopes must be present to use this endpoint: default’,
help: ‘For more information on API status codes and how to handle them, read the docs on errors: Errors’
}
]
Request you team to kindly look into this.
Thanks in Advance
Ah yes, the reason why you are seeing this error message One of the following scopes must be present to use this endpoint: default is because we have not implemented scopes for this endpoint yet.
This is probably confusing since there’s some endpoints with similar names:
If an endpoint you are using doesn’t have scopes implemented yet you’ll need to setup your app to use the default scope which is essentially full permissions
Hi @John_Vu
Thanks for the prompt response. Yes the scopes are visible now.
Just 1 last request from my side would be that, if you could add
GET https://app.asana.com/api/1.0/users/{user_gid}/user_task_list
API also under “tasks: read” or “users:read” scope, because until I fetch the user_task_list gid, the further operations would not be useful for me
This would be very helpful, and would complete our requirements of an automation.
Looking forward to your response on the same.
Thanks in Advance
