diff --git a/internal/config/config_setup.go b/internal/config/config_setup.go
index d8fcef1ec..2aaf597c8 100644
--- a/internal/config/config_setup.go
+++ b/internal/config/config_setup.go
@@ -26,8 +26,8 @@ func IsGitHubApp(id string) bool {
 	return id == "178c6fc778ccc68e1d6a" || id == "4d747ba5675d5d66553f"
 }
 
-func AuthFlowWithConfig(cfg Config, hostname, notice string) (string, error) {
-	token, userLogin, err := authFlow(hostname, notice)
+func AuthFlowWithConfig(cfg Config, hostname, notice string, additionalScopes []string) (string, error) {
+	token, userLogin, err := authFlow(hostname, notice, additionalScopes)
 	if err != nil {
 		return "", err
 	}
@@ -50,17 +50,20 @@ func AuthFlowWithConfig(cfg Config, hostname, notice string) (string, error) {
 	return token, nil
 }
 
-func authFlow(oauthHost, notice string) (string, string, error) {
+func authFlow(oauthHost, notice string, additionalScopes []string) (string, string, error) {
 	var verboseStream io.Writer
 	if strings.Contains(os.Getenv("DEBUG"), "oauth") {
 		verboseStream = os.Stderr
 	}
 
+	minimumScopes := []string{"repo", "read:org", "gist"}
+	scopes := append(minimumScopes, additionalScopes...)
+
 	flow := &auth.OAuthFlow{
 		Hostname:     oauthHost,
 		ClientID:     oauthClientID,
 		ClientSecret: oauthClientSecret,
-		Scopes:       []string{"repo", "read:org", "gist"},
+		Scopes:       scopes,
 		WriteSuccessHTML: func(w io.Writer) {
 			fmt.Fprintln(w, oauthSuccessPage)
 		},
diff --git a/pkg/cmd/auth/login/login.go b/pkg/cmd/auth/login/login.go
index cd43c536c..7d53839c6 100644
--- a/pkg/cmd/auth/login/login.go
+++ b/pkg/cmd/auth/login/login.go
@@ -210,7 +210,7 @@ func loginRun(opts *LoginOptions) error {
 	}
 
 	if authMode == 0 {
-		_, err := config.AuthFlowWithConfig(cfg, hostname, "")
+		_, err := config.AuthFlowWithConfig(cfg, hostname, "", []string{})
 		if err != nil {
 			return fmt.Errorf("failed to authenticate via web browser: %w", err)
 		}