How do I have only read-only scopes for the MCP server, and restrict it from doing any write operations?
I have tried with adding scopes in my mcp.json using env variables and arguments, but they did not work.
"atlassian": {
"command": "npx",
"args": [
"-y",
"mcp-remote@0.1.0",
"https://mcp.atlassian.com/v1/sse",
"--static-oauth-client-metadata","{\"scope\":\"read:jira-work read:jira-user\"}"
],
}
"atlassian": {
"command": "npx",
"args": [
"-y",
"mcp-remote@0.1.0",
"https://mcp.atlassian.com/v1/sse"
],
"env": {
"ATLASSIAN_SCOPES": "read:field:jira read:project:jira read:jira-user read:avatar:jira"
}
},
Whatever scope I add here the MCP server still expose the write operation related tools.
• addCommentToJiraIssue
• createJiraIssue
• editJiraIssue
• transitionJiraIssue
Is there a different approach to do this? How are the scopes provided to the MCP server in the oauth flow?