[Bug]: Gmail scopes incorrect for some tools

[tomgreeEn]

SDK Language

Both

SDK Version

API

Runtime Environment

API

Environment

Local Development

Describe the Bug

The scopes returned from the api for some Gmail tools are incorrect - they are more permissive than required, and are not included in the defualt scopes requested when creating the connection.

Specifically this scope is listed as required:
https://www.googleapis.com/auth/contacts

For GMAIL_GET_CONTACTS, GMAIL_GET_PEOPLE, GMAIL_SEARCH_PEOPLE

These are all GET requests and do not require the read/write permissions of https://www.googleapis.com/auth/contacts
as they already have enough access via https://www.googleapis.com/auth/contacts.readonly etc

Steps to Reproduce

Add API key to the below request and send

Minimal Reproducible Example

// Get tool by slug (GET /api/v3/tools/:tool_slug)
const response = await fetch("https://backend.composio.dev/api/v3/tools/GMAIL_SEARCH_PEOPLE?toolkit_versions=latest", {
  method: "GET",
  headers: {
    "x-api-key": "..."
  },
});

const body = await response.json();
console.log(body);

/*
{
  "slug": "GMAIL_SEARCH_PEOPLE",
  "name": "Search People",
  "toolkit": {
    "slug": "gmail",
    "name": "gmail",
    "logo": "https://logos.composio.dev/api/gmail"
  },
  ...
  "scopes": [
    "https://www.googleapis.com/auth/contacts", // <---- this includes write access and is not required for searching people; and it's not included in default connection scope
    "https://www.googleapis.com/auth/contacts.readonly" <--- this is the only one we actually need
  ],
}

*/

Error Output / Stack Trace

See comment above

Reproducibility

• Always reproducible
• Intermittent / Sometimes
• Happened once, can’t reproduce

Additional Context or Screenshots

No response

[Uday-sidagana]

Hey @tomgreeEn , the scopes returned in the tool schema are not all strictly required. They reflect the scopes that are relevant or returned by the dependency graph.

For example, the following scopes may appear:

"scopes": [
  "https://www.googleapis.com/auth/contacts",
  "https://www.googleapis.com/auth/contacts.readonly",
  "https://www.googleapis.com/auth/contacts.other.readonly"
]

The tools GMAIL_GET_CONTACTS and GMAIL_SEARCH_PEOPLE do not require the https://www.googleapis.com/auth/contacts scope, since these are GET endpoints and do not need write permissions.

his scope appears in the list due to dependency/relevancy resolution. You can safely use a read-only scope (for example, https://www.googleapis.com/auth/contacts.readonly) to get the tool working. Alternatively, you can also use https://www.googleapis.com/auth/contacts and the tool will work as expected.

Let me know if this answers the query.

[acsrujan]

@tomgreeEn Hey, on other note, can you rotate the API key ak_*******Jl1 immediately? While the bug was edited, this API key still appears in git history.

[tomgreeEn]

Yeah I did as soon as I posted it...thanks for the heads up though

…

On 30 Jan 2026 at 05:24, Srujan ***@***.***> wrote: acsrujan left a comment (ComposioHQ/composio#2463) @tomgreeEn Hey, on other note, can you rotate the API key ak_*******Jl1 immediately? While the bug was edited, this API key still appears in git history. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>