OAuth asking for enterprise scopes from enterprise teams without having enterprise accounts

  • 29 December 2022
  • 7 replies

I would like to ask, if it is possible to have an OAuth application, that request the Enterprise scopes from the people / teams having the Enterprise plans, without having the Enterprise account myself?

Based on the answers in Don't see organizations:read scope in Oauth app and How to add see the scopes of the Dev account on the enterprise acount , I am aware that I can not access this endpoints on my account (since we do not have Enterprise) and do do not provide the sandbox for this. But I don’t need this two.

All I would like is request these scopes from the people that have the enterprise plans.

If this is not possible, what is your recommendation for the alternative? Make each one create the app in their own teams? Or is there any easier solution for this?

7 replies

Userlevel 6
Badge +4

Hey @hamsters-leanix-smp,

Thanks for the details! To clarify, if a user does not have the Company Admin role under an Enterprise account, they will see something like this when going to create an application and select scopes:

Non Enterprise plan, or not a Company Admin

If a user belongs to an Enterprise account and does have a valid Company Admin role, they should see something like this, with additional scopes:

Company Admin on an Enterprise plan

If the individual you were working with isn’t seeing these additional scopes, they should confirm with their account administrator that they’re assigned this role within the specific team that they’re creating the app under. The account administrator can verify this by going to that team, and then Company settings > Active users, and next to their name it should say Role: Company Admin.

Let me know if it helps!

Can I have the question about the second options then? (Also started to ask about the first option inside our company, but it will take some time for me to get an answer)

I have tried the second option with one of our customers today. I wanted them to create an app, and we would use their app data. But when they tried to create the app, they also did not have these permissions included.

I have seen their screen in Miro listing them as the Company admin in one of the teams. And I can get the organization ID from the https://api.miro.com/v1/oauth-token with the credentials they provided us through the already existing OAuth. This two should indicate that they have an enterprise plan, right? So it should be showing the permissions as in the screenshot of https://help.miro.com/hc/en-us/articles/4766759572114-Enterprise-Developer-teams#Creating_and_installing_apps.

But I don’t see the permissions in this way. Instead saw the version which included the microphone permissions, and had audit log separately. But no organization premissions.

Or is there something else I should be checking, to see if they have the right plans / permissions?

Userlevel 6
Badge +4

Hi @hamsters-leanix-smp,

Thanks for confirming, and apologies for the back and forth on this. You are right — you would need the Company Admin role in order to view all available Enterprise-level scopes for OAuth. Without this role (and consequently, an Enterprise plan), it will be difficult to develop an Enterprise level app from just your own, non Enterprise account. 

I think there are two options in this case: 

  1. If you will be developing an enterprise level app or integration that will be utilized across different accounts, considering an Enterprise plan of your may be worth it. I say this just to be able to access the scopes under your own account, but also so that you can actively test the integration under your own account while you’re developing it.
  2. For any Enterprise level accounts that you’re developing an integration for, have them add you to their account as a company admin during development. Or, have them create the app for you and share the app details with you privately. This option is less desirable and not all Enterprises may be comfortable with this access.


Having said this, you’ve raised an important experience for us, and I’m actively sharing this feedback with our Enterprise teams in the hopes of improving the options available for Enterprise development going forward. 


That is why I was asking about.

Since we do not have an enterprise account, I am only listed as the team admin. As far as I understand, the company admins are only available for enterprise plans, right?

But we are making an integration for other companies, that do have enterprise account and will be connected by the company admins.

Userlevel 6
Badge +4

Hey @hamsters-leanix-smp,

Thanks for getting back to me and for clarifying some of this — I’m double checking with our Enterprise team on some of these details for you. In the meantime, can you confirm if you have a company admin role? This would also be necessary to see those scopes listed.


Thank you for the response. It is hearting to hear it should be possible.

Originally, I was asking because it seems that I can only pick the enterprise scopes related to the V1 version of the API, but not to the V2 version of the Miro API. And I could not find the way to use them.

When using the V1 of the API, we were using the following scopes below. And this way we could access the enterprise-only endpoint with the OAuth authorization from enterprise plans.

But when checking the V2 documentation, the auditlogs:read permission is not even listed on the scopes site, instead the ones that are listed there are not available here. Is there are plan to add them here?

I also tried to see if it would be possible to use the scope or scopes URL parameter. But the first ones seems to get ignored - the scopes from the app configuration are used. The scopes on the other hand, the second option hides the scopes and the credentials created with this have empty scopes when checked with https://api.miro.com/v1/oauth-token endpoint. So I am guessing this is not the right way to do it?

But then I am not sure how to actually configure the OAuth to request these scopes?

This was the original motivation behind the question. I could not figure out how to do it, so I wanted to make sure it is even possible.

Did I miss any documentation in how to do this?

Userlevel 6
Badge +4

Hi @hamsters-leanix-smp,

Thanks for reaching out, and good question. Yes, this should be possible. 

You should not need an Enterprise plan in order to create a developer app that would require these scopes. When you go to create the app, there will be an “Enterprise plan only” section in the scopes that you can select.

As you mentioned, only users who have an Enterprise plan and access to these scopes will be able to authorize the app. But once they do, your app would have access to any relevant endpoints on their behalf. 

While you won’t be able to test it out yourself without an Enterprise plan, it should be possible! Let me know if it helps to clarify. 😀