We are using the Atlassian Rovo MCP integration and have enabled all available read and search scopes in the Rovo MCP settings UI. Despite this, every Confluence tool call fails at runtime. It was working previously but suddenly has stopped and we're not sure why.
What works
- getAccessibleAtlassianResources — returns our site correctly, with cloud ID 8f2d4697-... and site URL creativeforce.atlassian.net
However, the response only lists two scopes on the token:
- read:confluence:agent-interface
- search:confluence:agent-interface
What fails — all with the same error
Every other Confluence tool returns:
Authentication failed: {"code": 401, "message": "Unauthorized; scope does not match"}
This includes:
- getConfluenceSpaces
- getPagesInConfluenceSpace
- getConfluencePage
- getConfluencePageDescendants
- searchConfluenceUsingCql
- getConfluencePageFooterComments
- getConfluencePageInlineComments
- getConfluenceCommentChildren
Additionally, the generic search (Rovo Search) tool returns a different error:
Access denied. Your account does not have permission to search Jira or Confluence content.
Our questions
1. Are read:confluence:agent-interface and search:confluence:agent-interface the only scopes Rovo MCP ever provisions, or should additional scopes such as read:confluence-content:confluence be present on the token when those settings are enabled?
2. Is there a known issue where enabling scopes in the Rovo MCP settings UI does not propagate to the runtime token? Is a disconnect/reconnect or manual token refresh required?
3. Why does getAccessibleAtlassianResources succeed while all other Confluence tools fail — does it use a different auth mechanism or endpoint?
4. Why does the generic Rovo search tool return a 403 (access denied) rather than the 401 (scope mismatch) that all other tools return? Does this tool require a separate permission grant?
5. What is the correct set of scopes required for each Confluence MCP tool, and where can these be verified?
Any suggestions?