Hello Jivers,

You all must have seen this document --> OAuth 2.0

It explain a way to use Oauth for REST api calls.


If you have registered an add-on using the Oauth flow (famous as Oauth Dance in Jive), you can utilise the jive-sdk on your add-on server to make rest api calls using oauth.


You already must have seen this in jive-sdk which can be used to make REST api calls using the tokens sent by jive


var jive = require('jive-sdk');
jive.context.persistence.findByID("community", env.jiveUrl).then(function (community) {
                url: someApiUrl,
                "method": "GET"



When we use oauth, by default the add-on has full access.




So basically if you call any REST apis using this add-on, you can do anything on your jive instance.

If this add-on is performing some actions based on some webhook events or some user actions which are sent from the app, its like saying this automated process can perform super admin tasks.

Obviously we don't want an automated process to have full access every time.


There is a simple way to reduce permissions of this add-on.


In the screenshot above I have an add-on called jivetest which has the super admin access.

Whenever you register an add-on, something like a service account is created in jive.

You won't be able to find this account in list of users, but you can find this new account under the User overrides under Permissions tabs.




You can see an option to edit permissions for this new account.

Here you can change the permissions to something limited which you need for the add-on.




People used to the new google apis might know the concept of scopes.

You have to set all individual scopes for a service account to call apis.

example :






In jive, this is one way to achieve some thing similar to achieve for add-on service accounts.