What it means
Aeris uses fine-grained OAuth scopes. Most mutating tools require anapply scope on top of the default read scope. If a caller with a read-only grant invokes a mutating tool, the request fails with SCOPE_INSUFFICIENT. The user must re-consent to add the missing scope — refreshing the token alone will not help.
How to fix
- Compare
details.requiredwithdetails.grantedto see which scopes are missing. - Redirect the user through the OAuth consent flow again with the extended scope set.
- Store the refreshed grant; the same tool call should then succeed.
Response envelope
Related
AUTH_EXPIRED— refresh solves it; here, re-consent is needed.ENTITLEMENT_LOCKED— also 403, but blocked by plan rather than by scope.VIEWER_READ_ONLY— admin view-as sessions cannot mutate regardless of scope.