Scope OAuth2 grant w/ Netlify API

I’m trying to use a submission-created function to do some lightweight validatation/spam filtering on a Netlify Form. It looks like the Netlify API has endpoints to do this, but they require authentication (which makes sense).

So I’ve started down the path of getting a token to use for these calls that is scoped to the application that this function will run on, loosely following the fragmented bits of documentation and example code scattered about, clumsily arriving at the following screen after having created a “ticket” (no idea what this terminology refers to since it’s undocumented) to authorize:

It turns out that this process results in creating an access token that has the same permissions as I have on Netlify, despite not being a personal access token. So naturally I went looking for documentation on the roles and scopes available…only to find absolutely nothing on it. No mention at all, save for a single label without a value in the documentation, hinting that Netlify has not implemented them.

:rotating_light: This is alarming and not tenable for my needs since this secret would need to exist in my environment variables for the function to access at runtime. :scream:

I also found this thread on the Redwood community discussing this back in July, but I don’t know what (if any) progress has been made.

If this isn’t possible we’ll likely move away from Netlify Forms (and possibly Netlify).

Hi @coreyward,

At the moment, I don’t think it is possible to customize the scope of the OAuth authorization. It looks like there’s work in-progress to get this feature implemented. I don’t have an ETA on when it’ll be released though. I’ve added this thread as one to be updated if and when the feature is released.

Thank you for bringing that up.