Why do I need scopes: ['user:email', 'read:user'] to have access to public email?


Why do I need the scopes [‘user:email’, ‘read:user’] to have access to public email?
On REST API this information comes by default when accessing the user endpoint (/user/“user”).

curl -H "Authorization: token token" -X POST -d '{ "query": "query { user(login: \"user\") { id databaseId email } }" }' https://api.github.com/graphql

{"data":null,"errors":[{"message":"Your token has not been granted the required scopes to execute this query. The 'email' field requires one of the following scopes: ['user:email', 'read:user'], but your token has only been granted the: [''] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.","locations":[{"line":1,"column":44}]}]}


Hi @hsborges,

I believe this was a bug that has since been resolved. Are you still required to pass these scopes when fetching this information?


Hello @bswinnerton, yes I do.
I asked that because I have an application and these scopes were not needed on v3.


I believe this might be an oversight. Let me look into it.


Hi @hsborges— the rational for this change was primarily for user consent. That is, an OAuth app previously could create a login (without asking for any explicit permissions) and collect users’ emails. We felt that this opaqueness was not fair. As well, requiring a token makes scraping these emails a bit harder.

Sorry for the mix-up, but as v4 is a brand new API, we are going to continue to make changes that benefit our users’ privacy and security over decisions made for the v3 API. Hope this helps!


Hi @gjtorikian, thank you for the clarification.