Hi, after reading the documentation and playing around with the request and response of OAuth2, I can’t seem to get the account’s ID from the oauth2 response.
So suppose if a non-admin user installed my app and initiated oauth2, does it mean the access token can be used to Send Notification to all users within that monday.com account ?
Could someone clarify more on this ?
Hope this helps 
Thank you @kolaai for the reply!
@wk_kong was that the information you needed?
Do you have any questions?
Cheers,
Matias
Another question related to this.
Now that apps can be installed in a specific workspace (and not visible to use in other workspaces), does that in any way scope an OAuth2 token to that workspace? Meaning, can the token access boards outside the workspace the app is installed in?
This is relevant if an app needs to access items on connected boards that are not in the workspace the app is installed in.
I don’t have an enterprise account for testing…
Additionally if the token is scoped to the workspace, is a token created for a recipe in one workspace, going to also work in the other workspaces the app gets installed in?
How do we differentiate the tokens when the workspace isn’t in the oauth process (is it in the token if its restricted to a workspace?)
Hi @codyfrisch!
Great question, i’ll check in with the team who implemented this change and get back to you with the update
Hi @codyfrisch!
I’ve heard back from the team:
“Now that apps can be installed in a specific workspace (and not visible to use in other workspaces), does that in any way scope an Auth2 token to that workspace? Meaning, can the token access boards outside the workspace the app is installed in?”
Yes, the token is scoped to all permitted workspaces, and cannot access boards outside those workspaces.
"Additionally if the token is scoped to the workspace, is a token created for a recipe in one workspace, going to also work in the other workspaces the app gets installed in?"
It will work in other spaces if the app is permitted for the other workspace.
“How do we differentiate the tokens when the workspace isn’t in the oath process (is it in the token if its restricted to a workspace?)”
It’s not in the token-- in general, a token is allowed to access all workspaces that the user allows the app to use, we don’t create different token for each workspace.
I hope this helps! Please let me know if you have any more questions.
So does this mean, if an app is installed in Workspace A and not B, but a board in workspace A connects to a board in workspace B - and the user that installed the app has access to both workspaces, the app cannot read the connected items even though the user can?