Sign In

Permission Scopes

Reference for OAuth 2.0 permission scopes available in the Coach Watts API and MCP server.

When requesting authorization, specify which scopes your application needs. Users see these permissions on the consent screen and can deny access they are uncomfortable with.

REST API scopes

ScopeDescriptionAccess
profile:readDefault. Read public profile infoName, email, avatar, FTP
profile:writeUpdate profile settingsWeight, FTP, preferences
workout:readRead workout historyList workouts, get details
workout:writeManage workoutsUpload, edit, delete workouts
health:readRead health metricsHRV, sleep, recovery scores
health:writeLog health metricsHRV, sleep, weight
nutrition:readRead nutrition logsDaily calories, macros
nutrition:writeLog nutrition dataCalories, carbs, protein
offline_accessLong-lived accessReturns a refresh_token

MCP scopes

These scopes apply to the remote MCP server at /mcp. See MCP Server for setup.

ScopeDescription
planning:readRead planned workouts, availability, and current plan
planning:writeCreate and modify planned workouts
analysis:readTraining load analysis and forecasts
memory:readList stored AI memories
memory:writeCreate, update, or forget memories
recommendations:readRead recommendations
recommendations:writeAccept or dismiss recommendations
ai:generateReserved for future async/AI tools

MCP also reuses the profile, workout, health, and nutrition scopes above.

Best practices

  • Least privilege — only request scopes your app actually uses
  • Incremental auth — request additional scopes later when the user attempts a specific action
  • Explain why — tell users on your app's connect screen what data you need and why

Example authorization request

GET /api/oauth/authorize
  ?response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=YOUR_REDIRECT_URI
  &scope=profile:read workout:read health:read offline_access
  &state=RANDOM_STRING
  &code_challenge=PKCE_CHALLENGE
  &code_challenge_method=S256
Back to Index