Skip to content

fix: drop stale introspection from interactive OAuth scope list #433

Open
Open
fix: drop stale introspection from interactive OAuth scope list#433
@MattBro

Description

@MattBro
MattBro
opened on May 4, 2026

Context

`src/utils/setup-utils.ts:495` requests `introspection` as part of the wizard's interactive OAuth scope set. Per RFC 7662, `introspection` is the OAuth Token Introspection endpoint, not a grantable scope. Per RFC 8414, it's correctly published in AS metadata as `introspection_endpoint`, never as a member of `scopes_supported`.

PostHog/posthog#56835 removed it from MCP's published scope list for this reason. The wizard still requests it, which means the AS either silently drops it or quietly issues an `invalid_scope` warning that we never surface.

Change

Remove `'introspection'` from the scope array at `setup-utils.ts:495`:

```ts
const tokenResponse = await performOAuthFlow({
scopes: [
'user:read',
'project:read',

  • 'introspection',
    'llm_gateway:read',
    'dashboard:write',
    'insight:write',
    'query:read',
    'health_issue:read',
    ],
    signup: false,
    });
    ```

Why

One stale string with no functional purpose. Stops the next person from copy-pasting it into a partner integration's scope list.

Tracking

Parent: PostHog/posthog#57524
Related: PostHog/posthog#56835, PostHog/posthog#56833
Project: https://github.com/orgs/PostHog/projects/194

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions