feat(auth): Replace granular scopes with wildcard scope (#1612)

Twixes · web-flow · commit d95d46a415ad · 2026-04-13T16:50:53.000+02:00
## Summary Instead or updating the scopes all the time, proposing we use a single `*` wildcard scope in PostHog OAuth. Bumps `OAUTH_SCOPE_VERSION` from 3 to 4, forcing existing sessions to re-authenticate with the new scope --- _Created with_ [_PostHog Code_](https://posthog.com/code?ref=pr)
diff --git a/apps/code/src/shared/constants/oauth.test.ts b/apps/code/src/shared/constants/oauth.test.ts
@@ -8,39 +8,9 @@ describe("OAUTH_SCOPES guard", () => {
       scopes: OAUTH_SCOPES,
     }).toMatchInlineSnapshot(`
       {
-        "scopeVersion": 3,
+        "scopeVersion": 4,
         "scopes": [
-          "user:read",
-          "user:write",
-          "project:read",
-          "task:write",
-          "llm_gateway:read",
-          "integration:read",
-          "introspection",
-          "action:read",
-          "action:write",
-          "dashboard:read",
-          "dashboard:write",
-          "error_tracking:read",
-          "error_tracking:write",
-          "event_definition:read",
-          "event_definition:write",
-          "experiment:read",
-          "experiment:write",
-          "feature_flag:read",
-          "feature_flag:write",
-          "insight:read",
-          "insight:write",
-          "logs:read",
-          "organization:read",
-          "property_definition:read",
-          "query:read",
-          "survey:read",
-          "survey:write",
-          "warehouse_table:read",
-          "warehouse_view:read",
-          "external_data_source:read",
-          "external_data_source:write",
+          "*",
         ],
       }
     `);
diff --git a/apps/code/src/shared/constants/oauth.ts b/apps/code/src/shared/constants/oauth.ts
@@ -5,43 +5,9 @@ export const POSTHOG_EU_CLIENT_ID = "AIvijgMS0dxKEmr5z6odvRd8Pkh5vts3nPTzgzU9";
 export const POSTHOG_DEV_CLIENT_ID = "DC5uRLVbGI02YQ82grxgnK6Qn12SXWpCqdPb60oZ";
 
 // Bump OAUTH_SCOPE_VERSION below whenever OAUTH_SCOPES changes to force re-authentication
-export const OAUTH_SCOPES = [
-  // PostHog Code app needs
-  "user:read",
-  "user:write",
-  "project:read",
-  "task:write",
-  "llm_gateway:read",
-  "integration:read",
-  "introspection",
-  // MCP server scopes
-  "action:read",
-  "action:write",
-  "dashboard:read",
-  "dashboard:write",
-  "error_tracking:read",
-  "error_tracking:write",
-  "event_definition:read",
-  "event_definition:write",
-  "experiment:read",
-  "experiment:write",
-  "feature_flag:read",
-  "feature_flag:write",
-  "insight:read",
-  "insight:write",
-  "logs:read",
-  "organization:read",
-  "property_definition:read",
-  "query:read",
-  "survey:read",
-  "survey:write",
-  "warehouse_table:read",
-  "warehouse_view:read",
-  "external_data_source:read",
-  "external_data_source:write",
-];
+export const OAUTH_SCOPES = ["*"];
 
-export const OAUTH_SCOPE_VERSION = 3;
+export const OAUTH_SCOPE_VERSION = 4;
 
 export const REGION_LABELS: Record<CloudRegion, string> = {
   us: "🇺🇸 US Cloud",
