MCP scopes
Per-tool scope requirements — what your token needs to call what.
Every tool checks scope as the first thing it does. Missing scope is HTTP 403 with Missing scope: <name> — the tool body never runs.
Scope matrix
| Tool | Scope | Notes |
|---|---|---|
check_domain_availability | availability:read | |
get_tld_info | availability:read | |
whoami | orgs:read | |
list_my_orgs | orgs:read | |
get_org | orgs:read | |
list_org_members | orgs:read | |
list_org_domains | domains:read | |
get_domain | domains:read | auth_code redacted unless caller also has domains:write |
update_domain_settings | domains:write | |
register_domains | domains:write | Spends money |
renew_domain | domains:write | Spends money |
list_dns_records | dns:read | |
create_dns_record, update_dns_record, delete_dns_record | dns:write | |
list_dns_presets, get_active_dns_presets | dns:read | |
apply_dns_preset, remove_dns_preset | dns:write | Always confirms |
list_contacts, get_domain_contacts | contacts:read | |
create_contact, update_contact, delete_contact | contacts:write | Owner/admin only |
set_domain_contact, unset_domain_contact | contacts:write | Owner/admin only |
get_balance | orgs:read | |
list_my_confirmations | orgs:read |
Defaults
OAuth sessions are minted with: availability:read, orgs:read, orgs:write, domains:read, domains:write, dns:read, dns:write, contacts:read, contacts:write. That’s enough to do everything except billing.
API keys ship with whatever you tick at mint time. Use the tightest scope set that gets the job done.
Org role gates
A few tools also check the caller’s role within the org, on top of scope:
- Contact write tools (create, update, delete, set, unset) require
owneroradmin. - Org settings, member management require
owneroradmin.
A member with contacts:write will still be rejected with “Admin or owner role required for this organization”.
Last updated
Edit this page