OAuth scopes
How verxion gates what your agent can read, write, and delete.
verxion uses OAuth scopes to decide what an agent is allowed to do on your behalf. Every tool call is gated on the scopes the token carries — the agent can’t escalate, and you can hand out reduced-permission tokens when you want.
The scope model
Five resource groups, three permission tiers each — fifteen scopes total.
| Resource | What it covers |
|---|---|
| workouts | Routines, programs, sessions, set logs, advanced sets, cardio, steps |
| nutrition | Diet plans, meal logs, recipes, custom foods, supplements, water |
| profile | Account, athlete profile, measurements, weight, body data, settings |
| social | Following, leaderboards, showcases, public profiles |
| notes | Annotations attached to sessions, exercises, or diet days |
The three tiers
| Tier | What it grants |
|---|---|
<resource>.read | View the data |
<resource>.write | Create and update entries |
<resource>.destructive | Delete entries permanently |
The tiers are additive. A token with workouts.write can also read; a token with workouts.destructive can read and write.
How scopes are issued
The setup page hands you a config snippet with a default scope set — the everyday scopes you need for normal use across all five resource groups, at the write tier (not destructive).
If you want a different set:
- Read-only: pick the read-only snippet on the setup page. Your agent can answer questions but can’t change anything.
- Custom: contact support — custom scope bundles are available on request.
What this means in practice
- You can’t accidentally delete data through your agent unless you’ve explicitly opted into
destructivescopes. The default does not include them. - You can hand a read-only token to an agent you’re testing without risk.
- Scope failures return a clear error — if the agent tries
workouts.destructivewith aworkouts.writetoken, the call fails immediately and the agent sees a permission error.
Revoking access
Sign out from the setup page to invalidate the current token. Generate a new snippet and update your client config when you want to reconnect. We never share or persist tokens beyond the session that issued them.