Removes obsolete/approval gated oauth2 scopes. #5127
Conversation
Removes the oauth2 scopes which: reference parts of the API which are no longer usable; or require approval (which cannot currently be obtained) to use.
|
These are still used and given to select development partners. |
|
One would assume "select development partners" are given docs which contain the complete list of scopes discord offers. I also think the store section – probably even the whole of – the SDK should be reviewed, since it documents code clearly written for api version 6. I did not remove any of it here because I felt like that would be making the scope of this pull request too large. These docs are for the publicly available API; unless someone from discord can confirm the community docs are used by those developers I really see no need to keep the scopes around here, they are causing people confusion over what api surface they have access to. |
There was a problem hiding this comment.
tbf, I'm not sure if we should remove them or not. It's already stated they require approval/whitelisting.
Maybe a clarification that Discord usually doesn't grant access to these scopes (or if they do, how to request them) could be enough.
However, I've left a comment below.
| | relationships.read | allows your app to know a user's friends and implicit relationships - requires Discord approval | | ||
| | rpc | for local rpc server access, this allows you to control a user's local Discord client - requires Discord approval | | ||
| | rpc.activities.write | for local rpc server access, this allows you to update a user's activity - requires Discord approval | | ||
| | rpc.notifications.read | for local rpc server access, this allows you to receive notifications pushed out to the user - requires Discord approval | | ||
| | rpc.voice.read | for local rpc server access, this allows you to read a user's voice settings and listen for voice events - requires Discord approval | | ||
| | rpc.voice.write | for local rpc server access, this allows you to update a user's voice settings - requires Discord approval | |
There was a problem hiding this comment.
RPC is technically usable without approval (for the app owner and up to 50 "testers" declared in the dev portal).
| | applications.commands | allows your app to use [commands](#DOCS_INTERACTIONS_APPLICATION_COMMANDS/) in a guild | | ||
| | applications.commands.update | allows your app to update its [commands](#DOCS_INTERACTIONS_APPLICATION_COMMANDS/) using a Bearer token - [client credentials grant](#DOCS_TOPICS_OAUTH2/client-credentials-grant) only | | ||
| | applications.commands.permissions.update | allows your app to update [permissions for its commands](#DOCS_INTERACTIONS_APPLICATION_COMMANDS/permissions) in a guild a user has permissions to | | ||
| | applications.entitlements | allows your app to read entitlements for a user's applications | | ||
| | applications.store.update | allows your app to read and update store data (SKUs, store listings, achievements, etc.) for a user's applications | |
There was a problem hiding this comment.
That is not the point here – the point is you cannot reasonably expect to use the store endpoints that scope grants access to.
|
Removing approval only scopes isn't helpful at all, these scopes do exist and they should be documented for 2 large reasons:
If there's any scope that should be delisted it's As for blanket removing the game SDK, it's still used in some applications and it's discord's responsibility to maintain that documentation for those developing applications that still use it, even if the technology is depreciated. Again, some of this technology is even being re-used. Hell Discord's own sticker packs are technically part of an SKU lol. The RPC API is largely depreciated but it still has potential uses for industry partners developing applications. There's no real gain from removing these scopes. I think it's pretty clear which ones are and aren't for unvetted public use. As a rookie developer years back I understood what I could/couldn't use and deduced that the ones with the big 'requires approval' (or whitelist at the time) were not for me. Some of these scopes also actually have in-the-wild production applications using them. Integrated applications are one example, the Discord streamkit is another. |
|
If and when these features are repurposed with a different intent, they can be added back with the relevant feature documentation. If there is a closed set of applications using legacy technology from discord, these scopes should not be listed in this table as things people can use today. My recommendation here would be a separate section of the docs containing the legacy documentation. |
|
I think all scopes should continue to be listed. Maybe to reduce confusion separate them into 3 lists next to each other:
some of the scopes this pr deletes are publicly available anyway |
|
but... people can use them today? I gave 2 examples of applications that actively use some of these scopes? Delisting these is literally just reductive and harms the developer experience for people using the technology, legacy or not. Complicating the docs with a legacy section is redundant when this is a list of scopes that have actual use cases and in-the-wild uses in applications. It wouldn't make sense to move the documentation of these scopes away from the scope documentation and into some legacy section, that's not a good developer experience. Just because they aren't usable by everyone doesn't mean they shouldn't be documented. If Discord started adding facebook-esque tracking scopes to oauth I think you would probably want to know even if you couldn't access that scope. Discord generally retain documentation of sunset or legacy features so developers still using them can both understand and migrate away from them. Command permissions on slash commands is a good example of exactly this. Stage discovery status too. The API could in some cases return those variables so they're documented. I understand that you see this as removing unused technology but it is used and it should be documented even if it's not intended for use by all developers. Imagine if you were developing an app that used an api endpoint that was later delisted from documentation. The endpoint still works for you. You still rely on it. But you have no idea what it returns in what cases which is deeply unhelpful because then you have to reverse engineer something you're dependant on. That's very much a bad experience. tl;dr they should stay listed regardless. I agree with advaith above that seperating out the scopes but keeping them in this part of the docs may be helpful but again, I don't think 'requires Discord approval' is a very confusing statement. |
|
I'm going to close this in favour of a separate table |
Removes the oauth2 scopes which: reference parts of the API which are no longer
usable; or require approval (which cannot currently be obtained) to use.