Permissions:We ask for client permissions, the minimum we can ask for to send invites. Unfortunately it looks scary when you grant us permissions but we're definitely asking for the minimum we can. Nitty gritty: We're using the users.admin.invite API endpoint that requires a legacy token, aka the kind of token that needs those permissions you're about to see.

Have trust issues with those permissions (I would too!)? Curious about the code? DM @jamescmartinez on Twitter and I can walk through the code with you. I would open source the code if I could but I want to make sure possible attackers don't learn our filtering methods. Security by obscurity in this case, unfortunately.

Also, I'm sorry this site looks GROSS right now. It was built in a rush to solve the community spam problem as fast as possible and there was exactly 0 time spent on design. Once things settle that will be my next priority. On the bright side, users will never see these pages.