Update changelog and docs

jsourcebot · jsourcebot · commit 42123cc42309 · 2026-06-11T14:11:17.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,7 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed issue where using multiple identity providers of the same type (e.g., gitlab) would result in unexpected behaviours. [#1177](https://github.com/sourcebot-dev/sourcebot/pull/1177)
 - Fixed a race condition where large repositories could be indexed twice within a single reindex interval. [#1298](https://github.com/sourcebot-dev/sourcebot/pull/1298)
 - Upgraded `shell-quote` to `^1.8.4`. [#1299](https://github.com/sourcebot-dev/sourcebot/pull/1299)
-- [EE] Fixed MCP OAuth connectors (e.g. Atlassian) rejecting the authorization request when `offline_access` was not explicitly enabled by an admin. The OAuth scopes dialog now pre-selects `offline_access` when the connector offers it; admins can still untick it to opt out of refresh tokens. [#1292](https://github.com/sourcebot-dev/sourcebot/pull/1292)
+- [EE] Fixed MCP OAuth connectors (e.g. Atlassian) rejecting authorization when `offline_access` was not enabled. When adding a connector, the scopes dialog now pre-selects `offline_access` (admins can untick it) and warns when it is the only selected scope. [#1292](https://github.com/sourcebot-dev/sourcebot/pull/1292)
 
 ## [5.0.1] - 2026-06-04
 
diff --git a/docs/docs/features/ask/connectors.mdx b/docs/docs/features/ask/connectors.mdx
@@ -56,6 +56,8 @@ Owners can configure which OAuth scopes users authorize when connecting to a con
 
 Sourcebot checks the connector for discoverable scopes and shows them as options. You can also add custom scopes.
 
+When you select scopes, most providers grant only what you request, so include the resource scopes the connector's tools need.
+
 <div className="max-w-sm mx-auto">
   <Frame>
     <img
@@ -81,7 +83,7 @@ Changing connector scopes requires all users to re-authenticate with that connec
 </Warning>
 
 <Note>
-`offline_access` is pre-selected when offered by the connector because token refresh requires it. You can untick it to opt out of refresh tokens, but users will need to re-authenticate every time their access token expires. Some connectors (such as Atlassian) reject authorization entirely without it.
+`offline_access` is pre-selected when you add a connector that offers it because token refresh requires it. You can untick it to opt out of refresh tokens, but users will need to re-authenticate every time their access token expires. Some connectors (such as Atlassian) reject authorization entirely without it.
 </Note>
 
 ## Tool Permissions
