What Forge scope is required to call Atlas projects_search?

I’m building a Forge app (jira:issuePanel + jira:customField) that needs to query the Atlas/Townsquare projects GraphQL API from a resolver. Same-instance install (sandbox Jira → sandbox Atlas).

Call:
const response = await api.asApp().requestJira(route/gateway/api/graphql, {
method: ‘POST’,
headers: { ‘Content-Type’: ‘application/json’ },
body: JSON.stringify({
query: query ProjectsSearch($containerId: String!, $searchString: String!) { projects_search(containerId: $containerId, searchString: $searchString) { edges { node { id name } } } } ,
variables: {
containerId: “ari:cloud:townsquare::workspace/”,
searchString: “”,
},
}),
});

Response: 401 {“code”:401,“message”:“Unauthorized; scope does not match”}

Current manifest scopes:
permissions:
scopes:

  • read:jira-work
  • read:jira-user
  • storage:app

What I’ve tried:

  • read:project:projects — rejected by forge lint as invalid
  • read:project-status:projects — rejected
  • read:project-update:projects — rejected
  • read:goal:projects — rejected
  • Basic auth with a user API token (same-instance gateway URL) — also 401
  • api.asUser() — NEEDS_AUTHENTICATION_ERR

The forge lint validator clearly knows there’s a real namespace; I just can’t find the right strings. The Forge permissions reference page (developer.atlassian.com/platform/forge/manifest-reference/permissions/) lists scopes for
Jira/Confluence/Bitbucket/Compass/JSM but nothing for Atlas/Townsquare/Projects.

Question: What are the exact Forge permissions.scopes strings needed to call projects_search and projects_byId from a Forge resolver? Is there a published scopes reference for Atlas/Projects that I’m missing?

Thanks.

It seems like you’re using a REST API method for GraphQL. I think you should use requestGraph: https://developer.atlassian.com/platform/forge/apis-reference/fetch-api-product.requestgraph/