Feedback requested: Removing Forge Remote OAuth scopes from the manifest

LilyYang · April 29, 2025, 4:43am

Summary

We are looking to remove the requirement to declare read:app-system-token and read:app-user-token scopes in the manifest file when enabling OAuth for Forge Remote requests.

Problem

These scopes create unnecessary repetition in the manifest, as they must always be defined when Forge Remote OAuth is enabled, but do not provide further functionality or information
read:app-system-token and read:app-user-token differ from other scopes outlined in the permissions section of the manifest as they aren’t real OAuth scopes.

Proposed solution

When enabling OAuth in Forge Remote apps, the read:app-system-token and read:app-user-token scopes do not have to be defined in manifest.

remotes:
  - key: remote-app-node
    baseUrl: https://forge-remote-refapp-nodejs.services.atlassian.com
    auth:
      appSystemToken:
        enabled: true
      appUserToken:
        enabled: true
    operations:
      - compute
## The following is now optional
permissions:
  scopes:
    - read:app-system-token
    - read:app-user-token

Feedback

We’d be keen to hear your feedback on whether these are changes you’d like to see and if you can see any issues with this change.

maciej.dudziak · January 7, 2026, 2:38pm

Hi @LilyYang, what is the status of this? forge deploy command still requires read:app-system-token and read:app-user-token and fails without them

LilyYang · January 7, 2026, 10:44pm

Hi @maciej.dudziak, apologies about that. The change has been added but linting hasn’t been updated yet. The change there should roll out with the next CLI version. In the meantime, this should work if you run forge deploy --no-verify.