Make custom connection scopes configurable (#136)

* Make custom connections scopes configurable
* update README

Author: amanda-ducrou

README.md

@@ -57,6 +57,8 @@ Custom connections require different scopes depending on when they were created.
 | After Apr 27, 2026 | [SCOPES_V2](src/clients/xero-client.ts#L93-L112) (granular permissions) |
 
 > **Note:** The MCP server automatically tries V1 scopes first and falls back to V2 if needed.
+> 
+> You can override these by setting the `XERO_SCOPES` environment variable to a space-separated list of scopes.
 
 ##### Integrating the MCP server with Claude Desktop
 
@@ -70,13 +72,16 @@ To add the MCP server to Claude go to Settings > Developer > Edit config and add
       "args": ["-y", "@xeroapi/xero-mcp-server@latest"],
       "env": {
         "XERO_CLIENT_ID": "your_client_id_here",
-        "XERO_CLIENT_SECRET": "your_client_secret_here"
+        "XERO_CLIENT_SECRET": "your_client_secret_here",
+        "XERO_SCOPES": "accounting.invoices accounting.contacts accounting.settings"
       }
     }
   }
 }
 ```
 
+The `XERO_SCOPES` variable is optional. If omitted, the default scopes listed above will be used.
+
 NOTE: If you are using [Node Version Manager](https://github.com/nvm-sh/nvm) `"command": "npx"` section change it to be the full path to the executable, ie: `your_home_directory/.nvm/versions/node/v22.14.0/bin/npx` on Mac / Linux or `"your_home_directory\\.nvm\\versions\\node\\v22.14.0\\bin\\npx"` on Windows
 
 #### 2. Bearer Token

src/clients/xero-client.ts

@@ -125,7 +125,16 @@ class CustomConnectionsXeroClient extends MCPXeroClient {
   }
 
   public async getClientCredentialsToken(): Promise<TokenSet> {
-    // Try V1 scopes first (for existing apps), fallback to V2 scopes (for new apps) only on invalid_scope error
+    // If XERO_SCOPES is set, use that
+    if (process.env.XERO_SCOPES) {                                                                                                                                                     
+      try {
+        return await this.requestToken(process.env.XERO_SCOPES);
+      } catch (envError) {
+        throw this.formatTokenError(envError, " with XERO_SCOPES");
+      }
+    }
+
+    // Else if XERO_SCOPES is not set, try V1 scopes first (for existing apps), fallback to V2 scopes (for new apps) only on invalid_scope error
     try {
       return await this.requestToken(this.XERO_DEFAULT_AUTH_SCOPES_V1);
     } catch (error) {