Permissions we request
Last updated: May 2, 2026 · A complete list of every OAuth scope One Click Campaign Studio asks for, why it’s needed, and what would break without it. This is our single source of truth for app-review submissions.
Meta — Facebook + Instagram
Connected via Facebook Login. Instagram Business publishing rides on the same OAuth grant because Instagram Business accounts are linked to a Facebook Page.
| Scope | Why we need it | What would break without it |
|---|---|---|
| Account identity | Sign-in via Facebook | |
| public_profile | Display the connecting user’s name in Settings | Settings page can’t identify which Facebook user is connected |
| pages_show_list | List the Facebook Pages the user manages so they can pick which one to post to | Page picker UI in Settings → Connected accounts is empty |
| pages_manage_posts | Publish text/image/video posts to the selected Facebook Page from the campaign composer | Facebook posts can’t be published |
| pages_read_engagement | Pull engagement counts (likes, comments, reach) for posts we previously published | Engagement metrics on the post analytics dashboard are blank |
| instagram_basic | Identify the Instagram Business account linked to the chosen Facebook Page | Cannot detect or display the user’s IG Business account |
| instagram_content_publish | Publish images, videos, and carousels to the user’s Instagram Business account | Instagram posts can’t be published |
LinkedIn — member feed
Sign In with LinkedIn using OpenID Connect. Posts to the connecting member’s feed.
| Scope | Why we need it | What would break without it |
|---|---|---|
| openid | Standard OpenID Connect identity claim | Cannot identify the connecting member |
| profile | Display the member’s name + profile picture in Settings | Settings shows “LinkedIn user” with no name or avatar |
| Match the LinkedIn account to an existing OCCS account on first connect | A second OCCS account would be created on first sign-in via LinkedIn | |
| w_member_social | Publish text posts (and, in the planned business-page expansion, image/video posts) to the member’s feed | LinkedIn posts can’t be published |
LinkedIn — business Pages
Second LinkedIn app, separately connected from the personal-feed app. Posts to LinkedIn Pages that the connecting member is an Administrator of.
| Scope | Why we need it | What would break without it |
|---|---|---|
| openid profile email | Identify the connecting member in Settings (same as personal-feed flow) | Settings shows no name or avatar for the connection |
| r_organization_admin | List the LinkedIn Pages this member admins so they can pick which Page to post to | Page picker UI in Settings → Connected accounts is empty |
| w_organization_social | Publish posts to the selected LinkedIn Page from the campaign composer | Page posts can’t be published |
| rw_organization_admin | Read engagement counts (likes, comments, reach) on Page posts we previously published, for the analytics dashboard | Engagement metrics on the post analytics dashboard are blank for Page posts |
Google — YouTube, Sheets, Ads
A single Google OAuth grant covers three distinct in-product workflows. Users see all scopes in a single consent screen but only the scopes for the workflow they actually invoke ever get exercised against Google’s APIs.
| Scope | Workflow | Why we need it | What would break without it |
|---|---|---|---|
| email profile | Sign-in | Account identity | Cannot match Google sign-in to an OCCS account |
| youtube | YouTube | List the user’s YouTube channels so they can pick which channel to upload videos to + update channel branding when needed | Channel picker is empty; cannot select a channel |
| youtube.readonly | YouTube | Strict subset of youtube, declared explicitly so least-privilege intent is on the record | No functional impact (subset) |
| youtube.upload | YouTube | Upload sales videos and produced video assets to the user’s YouTube channel as part of multi-channel campaign publishing | YouTube uploads can’t happen; campaigns with a YouTube branch fail |
| spreadsheets.readonly | Sheets | Read row data from a spreadsheet the user picks, to import contacts into OCCS contact lists | Sheets contact import is non-functional |
| drive.metadata.readonly | Sheets | Show the user a list of their spreadsheets to choose from. Metadata only — we never download Drive file content | Cannot present a spreadsheet picker |
| adwords | Ads | Create campaigns, ad groups, keywords, and responsive search ads in the user’s Google Ads account from the campaign launch flow | Google Ads launches fail; users can’t publish ad campaigns |
X (Twitter)
OAuth 2.0 PKCE flow. Posts to the connecting account.
| Scope | Why we need it |
|---|---|
| tweet.read | Required by X for any authenticated request |
| tweet.write | Publish tweets from the campaign composer |
| users.read | Display the connecting account’s @handle in Settings |
| offline.access | Issue refresh tokens so we don’t force the user to reconnect every two hours |
TikTok
TikTok Business OAuth. Posts videos to the connecting account.
| Scope | Why we need it |
|---|---|
| user.info.basic | Identify the connecting account in Settings |
| video.publish | Publish videos from the campaign composer |
Revoking access
You can revoke any integration at any time from Settings → Connected accounts. We call the provider’s revoke endpoint as part of the disconnect flow so the OAuth grant is invalidated at the source — not just deleted from our database. You can also delete your entire One Click Campaign Studio account from Settings → Account, which disconnects all integrations and purges your personal data per our Privacy Policy.
Questions
Email privacy@1clickcampaign.com with any questions about a specific scope or its use.