From 215470cfa56893eea90460b10ca07ad9e7176502 Mon Sep 17 00:00:00 2001
From: sergical <sergiy.dybskiy@sentry.io>
Date: Wed, 24 Jun 2026 01:07:03 +0000
Subject: [PATCH] fix(auth): add alerts:read and alerts:write to default OAuth
 scopes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

sentry alert metrics create was blocked with 403 even after sentry auth
login because the metric alert POST endpoint has a secondary permission
check (check_can_create_alert) that requires alerts:write, org:write, or
org:admin — none of which were in the CLI's default OAuth scope set.

Dashboard creation works fine because its POST only gates on org:read,
which is already in scope. The inconsistency was the missing alerts:write.

Add alerts:read and alerts:write to OAUTH_SCOPES. Users with existing
tokens will need to re-authenticate to pick up the new scopes:

  sentry auth logout && sentry auth login

Update generated doc sections in DEVELOPMENT.md and self-hosted.md
(script/generate-docs-sections.ts regenerates these from OAUTH_SCOPES).

Co-Authored-By: sentry-junior[bot] <264270552+sentry-junior[bot]@users.noreply.github.com>
---
 DEVELOPMENT.md                       | 1 +
 docs/src/content/docs/self-hosted.md | 2 +-
 src/lib/oauth.ts                     | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index b13f13209..98a3630f9 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -70,6 +70,7 @@ When creating your Sentry OAuth application:
   - `event:read`, `event:write`
   - `member:read`
   - `team:read`, `team:write`
+  - `alerts:read`, `alerts:write`
 <!-- GENERATED:END oauth-scopes -->
 
 ## Environment Variables
diff --git a/docs/src/content/docs/self-hosted.md b/docs/src/content/docs/self-hosted.md
index c3117cbb9..021622fd4 100644
--- a/docs/src/content/docs/self-hosted.md
+++ b/docs/src/content/docs/self-hosted.md
@@ -56,7 +56,7 @@ If your instance is on an older version or you prefer not to create an OAuth app
 1. Go to **Settings → Developer Settings → Personal Tokens** in your Sentry instance (or visit `https://sentry.example.com/settings/account/api/auth-tokens/new-token/`)
 2. Create a new token with the following scopes:
 <!-- GENERATED:START oauth-scopes -->
-`project:read`, `project:write`, `project:admin`, `org:read`, `event:read`, `event:write`, `member:read`, `team:read`, `team:write`
+`project:read`, `project:write`, `project:admin`, `org:read`, `event:read`, `event:write`, `member:read`, `team:read`, `team:write`, `alerts:read`, `alerts:write`
 <!-- GENERATED:END oauth-scopes -->
 3. Pass it to the CLI:
 
diff --git a/src/lib/oauth.ts b/src/lib/oauth.ts
index 74dc5486d..e573d090b 100644
--- a/src/lib/oauth.ts
+++ b/src/lib/oauth.ts
@@ -88,6 +88,8 @@ export const OAUTH_SCOPES: readonly string[] = [
   "member:read",
   "team:read",
   "team:write",
+  "alerts:read",
+  "alerts:write",
 ];
 
 /** Space-joined scope string for OAuth requests (full default set). */