# The Connector Permission Cheat Sheet for Claude for Small Business: Twelve Connectors, Twelve Minimum-Permission Sets When you connect QuickBooks, Gmail, Stripe, or Slack to Claude, the default OAuth scope is usually broader than what the skill actually needs. Here's the smallest viable permission set for each of the 12 launch connectors, with the rationale. Author: J.A. Watte Published: May 14, 2026 Source: https://jwatte.com/blog/blog-connector-permissions-claude-smb/ --- When you click "Connect QuickBooks" in Claude Cowork, the OAuth dialog asks you to authorize a fairly broad permission set. Most owners click through. That's how OAuth flows are designed; they're built for the common case, not the careful one. For an AI agent that's about to take actions in your books, your inbox, and your bank, broad-by-default is the wrong default. The right approach is the principle of least permission: grant the smallest set of capabilities that lets the skill do its job, and nothing more. If the skill gets confused, gets prompt-injected, or just makes a mistake, the smaller permission set bounds the blast radius. Here's the cheat sheet for the 12 connectors that shipped with [Claude for Small Business](/blog/blog-claude-for-small-business-walkthrough/) on May 13, 2026. For each, I'll list the default scope, the minimum scope, and what you give up by tightening. ## QuickBooks Online **Default scope.** Read and write all company data, including chart of accounts, bills, invoices, journal entries, payroll if you have Payroll, and vendor records. **Minimum scope for invoice-chase.** Read-only access to invoices, customers, and payment records. No write access at all. **Minimum scope for books reconciliation.** Read access to all transactions; write access to "Class" and "Memo" fields only (so the agent can tag and annotate, not modify amounts). **What you give up by tightening.** The agent can't auto-create new customers or auto-correct miscategorized expenses. It will draft these as suggestions for you to apply manually. That's the right default for the first month. ## PayPal **Default scope.** Read all transactions; refund up to a configurable limit. **Minimum scope.** Read-only on transactions. Refund permission off. **What you give up.** The agent can't issue automatic refunds. It can draft a refund and surface it for your approval. For SMB volumes, the friction of a manual approval is trivial; the protection from a runaway refund-loop is huge. ## Stripe **Default scope.** Read and write on all payment, customer, and subscription objects, including the ability to create charges. **Minimum scope.** Read-only on payments, customers, subscriptions, disputes, and refunds. No write scope. **What you give up.** Cannot auto-create charges or auto-refund. Same logic as PayPal. If you need automated billing, run that through Stripe's own subscription engine, not through an AI skill. ## Square **Default scope.** Read all transactions and inventory; create payments and refunds. **Minimum scope.** Read-only on transactions, inventory levels, and customer records. **What you give up.** Cannot push inventory updates from AI. Worth keeping the agent away from inventory anyway. Inventory changes are usually triggered by physical events (a delivery, a stock count) that should not have an AI in the middle. ## Gmail **Default scope.** Read, send, modify, and delete on all messages in all folders. **Minimum scope for invoice-chase.** Read on the Inbox and Sent folders; send via a specific outbound alias (e.g., `billing@yourcompany.com`) that's distinct from your primary mailbox. **Minimum scope for everything else.** Read-only on the Inbox; create drafts in your Drafts folder; no auto-send. **What you give up.** Auto-send. The agent drafts, you review, you click send. For the first month, this is the default I'd recommend universally. After 30 days of "draft looked fine," you can promote specific workflows (invoice reminders being the most common) to auto-send. ## Google Drive **Default scope.** Read and write across all files the connector can see. **Minimum scope.** Read-only access, scoped to a specific folder (not your entire Drive). Create a folder named `claude-readable/` and only put files into it that the agent should have access to. **What you give up.** The agent can't save outputs back to Drive. That's fine; let it surface outputs in the Cowork interface and copy them to Drive manually until you trust the categorization. ## Google Calendar **Default scope.** Read, create, modify, and delete events on your primary calendar. **Minimum scope.** Read-only on your primary calendar; create-only on a separate calendar named `claude-proposals` that you've added to your account. **What you give up.** Cannot directly book meetings on your primary calendar. Books them on the proposals calendar instead, where you can see them and accept/move them. After 30 days, you can grant write on the primary calendar for specific event types (e.g., internal meetings only, never external customer-facing ones). ## Microsoft 365 **Default scope.** Full read/write on Outlook mail, OneDrive, Teams, and your calendar. **Minimum scope.** Mirror the Gmail and Drive recommendations above. Read mail, draft only (no auto-send); read-only on a single OneDrive folder; read primary calendar, create on a "proposals" calendar. **What you give up.** Same trade as the Google equivalents. The OneDrive/SharePoint scoping is harder than Drive because Microsoft's permission model is coarser; you may need to create a separate SharePoint site for the agent's access if your tenant is large. ## DocuSign **Default scope.** Read, send, void, and manage all envelopes and templates. **Minimum scope.** Read-only on envelope status and template list. No send permission. **What you give up.** Cannot auto-send contracts for signature. This is the right default forever, not just for the first 30 days. Contract sends are high-stakes events that should never originate from an AI without a human in the loop. ## Slack **Default scope.** Read and post in all channels the connector is added to; can also DM users. **Minimum scope.** Add the Claude app to exactly two channels: one private channel for the agent's notifications (`#claude-alerts`), and one read-only channel where the agent can monitor for keywords. No DM permission. **What you give up.** The agent cannot proactively message individuals. That's a feature, not a limitation. Slack DMs from AI agents to coworkers cause confusion and trust issues; route everything through the notification channel and let humans pick up the thread. ## Canva **Default scope.** Read and write on all designs and brand assets in your team. **Minimum scope.** Read-only on your brand kit; create-only in a folder named `claude-drafts`. The agent can draft graphics for marketing campaigns but cannot modify your master brand assets. **What you give up.** Cannot directly update your published designs. That's the right safeguard for brand-consistent output; you'd want a human eye on any published graphic anyway. ## Webflow **Default scope.** Read and write on all CMS content and site settings. **Minimum scope.** Read-only on published content; create draft entries only in a specific CMS collection that you've designated as agent-staging. No publish permission. **What you give up.** Cannot push live changes to your website. Hard rule: live website changes should never bypass a human review step, especially when the website is your primary lead source. ## The pattern across all 12 You probably noticed the rhythm. Every connector follows the same shape: 1. **Read-only by default.** The agent can see what it needs without modifying anything. 2. **Create-but-not-publish where useful.** Drafts, suggestions, and proposals in a separate location. 3. **Auto-publish only after 30 days of trust-but-verify.** And only for specific, low-stakes, easy-to-undo workflows. 4. **Never grant delete, send-money, or publish-public.** These belong with humans permanently. If you remember nothing else, remember the four-rule version. Read-only, create-draft, never auto-publish, never irreversible. ## The audit tools that catch this for you - **[Claude Skill Linter](/tools/claude-skill-linter/).** Paste your skill text. Flags 14 patterns including missing permission-scope statements and no-confirmation-on-delete. Run every new skill through this before you turn it on. - **[API Secret Leakage Audit](/tools/api-secret-leakage-audit/).** Scans whatever you've connected to make sure you haven't accidentally pasted a real credential into a skill instruction file. - **[FBI Fraud Reflex Card for SMBs](/tools/fbi-fraud-reflex-card/).** Pattern-matching for the social-engineering side of agent risk: a skill that gets prompt-injected into doing something it shouldn't. ## What to do this week If you've already installed Claude for Small Business: 1. Open each connector you've turned on. 2. Check the current permission scope. Most likely it's broader than what the skill actually uses. 3. Tighten to the minimum scope from the cheat sheet above. 4. Run a single test workflow end-to-end to confirm the tighter scope still works. If a workflow breaks because you tightened too much, the platform will tell you which permission was missing. Add it back one at a time. The right scope is the smallest one that still works, not the broadest one that always works. ## The deeper version This is the connector-side of the broader argument in [The $100 Network](https://www.amazon.com/dp/B0FB1J28J9): that the under-$100 AI stack is now powerful enough to do real damage if turned on without thought, and the safeguards need to scale with the autonomy. If you want the full architecture-level version of how to build out from one skill to a coordinated suite without losing the safety story, that's the book. ## Related reading - [Claude for Small Business walkthrough](/blog/blog-claude-for-small-business-walkthrough/), the launch announcement post and setup guide. - [How a small business runs AI agents without a $47K surprise bill](/blog/blog-ai-agent-cost-controls-smb/), the cost-control companion to this permission walkthrough. - [Before you pay an agency $3,500/month for proprietary AI](/blog/blog-spot-ai-vendor-markup/), vendor evaluation. - [AI fraud reflexes for SMBs in 2026](/blog/blog-ai-fraud-reflexes-smb-2026/), prompt-injection and social-engineering risks. - [Email infrastructure for small business](/blog/blog-email-infrastructure-small-business/), the deliverability layer beneath any Gmail-connected skill. ## Fact-check notes and sources - Claude for Small Business connector list (the 12 launch connectors named in this post) per Inc.com's [coverage of the May 13, 2026 announcement](https://www.inc.com/ben-sherry/anthropics-newest-claude-feature-is-here-to-help-small-business-owners-with-their-pain-points/91343926). - OAuth scope documentation for each named platform: [QuickBooks](https://developer.intuit.com/app/developer/qbo/docs/learn/explore-the-api/scopes), [PayPal](https://developer.paypal.com/api/rest/), [Stripe](https://stripe.com/docs/keys), [Square](https://developer.squareup.com/docs/oauth-api/overview), [Google APIs](https://developers.google.com/identity/protocols/oauth2/scopes), [Microsoft Graph](https://learn.microsoft.com/en-us/graph/permissions-reference), [DocuSign](https://developers.docusign.com/platform/auth/), [Slack](https://api.slack.com/scopes), [Canva](https://www.canva.dev/docs/connect/), [Webflow](https://developers.webflow.com/data/docs/scopes). - Principle of least permission: this isn't a Claude-specific concept; it's a [NIST SP 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) baseline access control practice. *This post is informational, not legal, contract, or security-engineering advice. Mentions of named platforms are nominative fair use. No affiliation is implied.* --- Canonical HTML: https://jwatte.com/blog/blog-connector-permissions-claude-smb/ RSS: https://jwatte.com/feed.xml JSON Feed: https://jwatte.com/feed.json Hero image: https://jwatte.com/images/blog-connector-permissions-claude-smb.webp