Build It

OAuth & scopes

17 scopes across three sensitivity tiers. Your first handshake usually misses canvas + skill.

17 scopes across three sensitivity tiers. Your first handshake usually misses canvas:* and skill:*. Reconnect to pick up the full set.

The 17 scopes

Sprout uses OAuth 2.0 for partner authentication. Each scope maps to a family of MCP tools. Request only what you need; the parent sees the full list at consent time.

ScopeTierTools unlocked
family:readReadfamily_query_overview
task:readReadtask_list, task_review
task:writeWritetask_create, task_update, task_complete, task_delete
skill:readReadskill_list, skill_get
skill:writeWriteskill_write, skill_activate, skill_update, skill_invoke
canvas:readReadcanvas_list, canvas_get
canvas:writeWritecanvas_create, canvas_update
reward:readReadreward_list
reward:writeWritereward_create, reward_update
routine:readReadroutine_list, routine_describe
routine:writeWriteroutine_create, routine_update
screentime:readReadscreentime_list_requests, screentime_query_state
gems:readReadgems_query_balance, gems_list_transactions
project:readReadproject_list, project_get
project:writeWrite(reserved, not yet active)
gems:adjustHighgems_adjust
screentime:approveHighscreentime_review_request

First connect

Most MCP hosts (Claude Desktop, Cursor, etc.) present the scope list on first connect. The parent approves. Common pitfall: the default scope set may not include canvas:* or skill:*. If your agent tries canvas_create and gets "tool not in catalog," disconnect and reconnect with the full scope set.

Shell
# Check which scopes your token has
mcp_whoami
# Look at the sprout_scopes array in the response
# Missing canvas:write or skill:write?
# /mcp -> sprout -> disconnect -> connect
# Approve the expanded scope set

Scope request flow

  1. Your agent connects to Sprout via MCP.
  2. The MCP host shows the requested scopes to the parent.
  3. Parent approves (or narrows the set).
  4. Your agent receives a token scoped to the approved set.
  5. Any tool call outside the granted scopes returns a clear error naming the missing scope.
infoRequest all scopes you will need up front. Incremental scope expansion requires a full disconnect/reconnect cycle, which interrupts the parent's flow.

Further reading

Was this page helpful?
Hello, family chevron_right