Every token carries an explicit list of scopes. Reads succeed when the token has the matching scope and access to the target domain. Writes may return 202 with APPROVAL_REQUIRED when the token is not allowed to auto-approve the action.
Baseline (read) scopes
| Scope | Access |
|---|
domains:read | List domains in the workspace |
prompts:read | Read prompt definitions |
visibility:read | AI visibility and mention analytics |
audits:read | Site audit summaries and issues |
competitors:read | Tracked competitors |
traffic:read | GA4 and Search Console summaries |
articles:read | Articles |
integrations:read | Integration status and Webflow CMS reads |
Elevated (write) scopes
| Scope | Access |
|---|
prompts:write | Create and update prompts |
prompts:delete | Delete prompts (never auto-approved) |
audits:trigger | Start site audits |
competitors:manage | Add competitors |
integrations:write | Create or update Webflow CMS drafts |
domains:manage | Create and manage domains |
articles:write | Create and update articles |
Approval flow
When a write returns approval required:
{
"status": "APPROVAL_REQUIRED",
"approvalRequestId": "uuid",
"approvalUrl": "https://app.mentionpath.ai/..."
}
REST and MCP share the same scope and approval rules. A token that can call POST /domains/{id}/prompts behaves the same as the prompts_create MCP tool.
Restricted scopes
These scopes are not granted to API or MCP tokens by default:
approvals:resolve — approve or deny pending requests (human/UI first)permissions:manage — org role and permission administration
