URL: /mcp/scopes --- title: MCP scopes description: Per-tool scope requirements — what your token needs to call what. --- Every tool checks scope as the first thing it does. Missing scope is HTTP 403 with `Missing scope: ` — the tool body never runs. ## Scope matrix | Tool | Scope | Notes | | --- | --- | --- | | `check_domain_availability` | `availability:read` | | | `get_tld_info` | `availability:read` | | | `whoami` | `orgs:read` | | | `list_my_orgs` | `orgs:read` | | | `get_org` | `orgs:read` | | | `list_org_members` | `orgs:read` | | | `list_org_domains` | `domains:read` | | | `get_domain` | `domains:read` | `auth_code` redacted unless caller also has `domains:write` | | `update_domain_settings` | `domains:write` | | | `register_domains` | `domains:write` | Spends money | | `renew_domain` | `domains:write` | Spends money | | `list_dns_records` | `dns:read` | | | `create_dns_record`, `update_dns_record`, `delete_dns_record` | `dns:write` | | | `list_dns_presets`, `get_active_dns_presets` | `dns:read` | | | `apply_dns_preset`, `remove_dns_preset` | `dns:write` | Always confirms | | `list_contacts`, `get_domain_contacts` | `contacts:read` | | | `create_contact`, `update_contact`, `delete_contact` | `contacts:write` | Owner/admin only | | `set_domain_contact`, `unset_domain_contact` | `contacts:write` | Owner/admin only | | `get_balance` | `orgs:read` | | | `list_my_confirmations` | `orgs:read` | | ## Defaults OAuth sessions are minted with: `availability:read`, `orgs:read`, `orgs:write`, `domains:read`, `domains:write`, `dns:read`, `dns:write`, `contacts:read`, `contacts:write`. That's enough to do everything except billing. API keys ship with whatever you tick at mint time. Use the tightest scope set that gets the job done. ## Org role gates A few tools also check the caller's role within the org, on top of scope: - Contact write tools (create, update, delete, set, unset) require `owner` or `admin`. - Org settings, member management require `owner` or `admin`. A `member` with `contacts:write` will still be rejected with "Admin or owner role required for this organization".