datasets:read mcp:query

datasets:read datasets:write documents:read documents:write mcp:query

datasets:read datasets:write datasets:delete
documents:read documents:write documents:delete
mcp:query mcp:batch_query
webhooks:manage
account:read

https://www.tryfltr.com/oauth/authorize?
  response_type=code&
  client_id=YOUR_CLIENT_ID&
  scope=datasets:read mcp:query&
  state=RANDOM_STATE&
  code_challenge=CODE_CHALLENGE&
  code_challenge_method=S256

from urllib.parse import urlencode

scopes = [
    "datasets:read",
    "documents:write",
    "mcp:query"
]

params = {
    "response_type": "code",
    "client_id": "YOUR_CLIENT_ID",
    "scope": " ".join(scopes),  # Space-separated
    "state": state,
    "code_challenge": code_challenge,
    "code_challenge_method": "S256"
}

auth_url = f"https://www.tryfltr.com/oauth/authorize?{urlencode(params)}"

datasets:delete
  └─ requires datasets:write
      └─ requires datasets:read

documents:delete
  └─ requires documents:read

mcp:batch_query
  └─ requires mcp:query
      └─ requires datasets:read

# Token response includes granted scopes
{
  "access_token": "fltr_at_abc123...",
  "scope": "datasets:read datasets:write mcp:query",
  "token_type": "Bearer",
  "expires_in": 3600
}

# Original scopes
original_scopes = "datasets:read mcp:query"

# Request additional scope
new_scopes = "datasets:read mcp:query webhooks:manage"

# User must re-authorize
redirect_to_authorization(scopes=new_scopes)

{
  "error": "Insufficient permissions",
  "code": "insufficient_scope",
  "details": {
    "required_scope": "datasets:write",
    "granted_scopes": ["datasets:read", "mcp:query"]
  }
}

{
  "error": "Invalid scope",
  "code": "invalid_scope",
  "details": {
    "invalid_scopes": ["datasets:admin"]
  }
}

# ✅ Good - minimal scopes
scopes = "datasets:read mcp:query"

# ❌ Bad - requesting everything
scopes = "datasets:read datasets:write datasets:delete documents:read documents:write..."

This app needs:
- datasets:read - To view your knowledge bases
- mcp:query - To search your documents
- webhooks:manage - To notify you of updates

requested_scopes = {"datasets:read", "datasets:write", "mcp:query"}
granted_scopes = set(token_response["scope"].split())

denied_scopes = requested_scopes - granted_scopes

if denied_scopes:
    print(f"User denied: {denied_scopes}")
    # Degrade gracefully or explain why scopes are needed

# Store with access token
{
    "access_token": "fltr_at_abc123...",
    "refresh_token": "fltr_rt_def456...",
    "scopes": ["datasets:read", "mcp:query"],
    "expires_at": 1704657600
}