Scopes
-
Facebook Login for Business: email, public_profile — Authenticate Colosseum operator accounts. -
Pages API: pages_show_list, pages_read_engagement, pages_manage_posts, pages_manage_metadata — Publish to client-owned Pages with explicit consent; read engagement back for the Feedback agent. -
Instagram Graph API: instagram_basic, instagram_content_publish, instagram_manage_insights, instagram_manage_comments — Publish to client-owned Instagram Business accounts; read insights; respond to comments under documented response rules. -
Threads API: threads_basic, threads_content_publish, threads_manage_insights, threads_read_replies — Equivalent operations on Threads.
Data flow
Operator → Pages API → Colosseum → audit log → publish. Engagement data flows back from Meta into the Feedback agent and into the operator's dashboard, never out of the contracted scope.
Retention
Engagement data retained for 24 months for trend analysis. Account access tokens revoked on disconnection. All derived data deleted within 30 days of disconnection unless the operator opts in to retention for analytics continuity.
Deletion
Disconnect the integration in Facebook → Settings → Business Integrations, or submit a deletion request at /data-rights. SLA 30 days.
TikTok
Scopes
-
user.info.basic, user.info.profile — Authenticate the operator's TikTok account. -
video.publish, video.upload — Publish to client-owned TikTok Business accounts via the official content posting API. -
video.list, user.video.list — Read engagement metrics for content the operator has authorised us to publish.
Data flow
Operator → TikTok for Business API → Colosseum → audit log → publish. Engagement read into Feedback agent.
Retention
Engagement: 24 months. Tokens revoked on disconnection. Derived data: 30-day deletion.
Deletion
Revoke at TikTok → Settings → Connected apps, or via /data-rights.
YouTube
Scopes
-
youtube.upload — Publish to operator-authorised YouTube channels. -
youtube.readonly — Read public engagement metrics for the Feedback agent. -
youtube.force-ssl — Required by YouTube for any write operation.
Data flow
Operator → Google OAuth (Brand Verification) → YouTube Data API v3 → Colosseum → audit log → publish.
Retention
Engagement: 24 months. Tokens revoked on disconnection. Derived data: 30-day deletion.
Deletion
Revoke at Google → Account → Security → Third-party access, or via /data-rights.
X
Scopes
-
tweet.read, tweet.write — Publish to operator-authorised X handles and read engagement. -
users.read — Resolve the connected user's profile.
Data flow
Operator → X OAuth 2.0 → X v2 API → Colosseum → audit log → publish.
Retention
Engagement: 24 months. Derived data: 30-day deletion.
Deletion
Revoke at X → Settings → Connected apps, or via /data-rights.
LinkedIn
Scopes
Deferred to Phase 6.5 — see /research.
Data flow
Deferred to Phase 6.5 along with /work — see /research for the Phase 6.5 trigger logic.
Retention
n/a until Phase 6.5
Deletion
n/a until Phase 6.5
Pinterest
Scopes
-
pins:write, pins:read — Publish and read pins on operator-authorised Pinterest business accounts. -
boards:read — List available boards before publishing.
Data flow
Operator → Pinterest OAuth → Pinterest API → Colosseum → audit log → publish.
Retention
Engagement: 24 months. Derived data: 30-day deletion.
Deletion
Revoke at Pinterest → Settings → Apps, or via /data-rights.
Snap
Scopes
-
snapchat-marketing-api:read, snapchat-marketing-api:write — Publish and read on operator-authorised Snap accounts.
Data flow
Operator → Snap OAuth → Snap Marketing API → Colosseum → audit log → publish.
Retention
Engagement: 24 months. Derived data: 30-day deletion.
Deletion
Revoke at Snap → Settings → Permissions, or via /data-rights.