diff --git a/.changeset/rich-chefs-nail.md b/.changeset/rich-chefs-nail.md
new file mode 100644
index 00000000..16866347
--- /dev/null
+++ b/.changeset/rich-chefs-nail.md
@@ -0,0 +1,7 @@
+---
+'workers-observability': minor
+'containers-mcp': minor
+'workers-bindings': minor
+---
+
+Use new workers:read scope instead of workers:write, as these mcp servers don't require workers write permissions
diff --git a/apps/sandbox-container/server/sandbox.server.app.ts b/apps/sandbox-container/server/sandbox.server.app.ts
index d8743666..f04c382d 100644
--- a/apps/sandbox-container/server/sandbox.server.app.ts
+++ b/apps/sandbox-container/server/sandbox.server.app.ts
@@ -33,8 +33,6 @@ export type Props = AuthProps
 const ContainerScopes = {
 	...RequiredScopes,
 	'account:read': 'See your account info such as account details, analytics, and memberships.',
-	'workers:write':
-		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
 } as const
 
 export default {
diff --git a/apps/workers-observability/src/workers-observability.app.ts b/apps/workers-observability/src/workers-observability.app.ts
index 1f9fc00e..69d5bdc5 100644
--- a/apps/workers-observability/src/workers-observability.app.ts
+++ b/apps/workers-observability/src/workers-observability.app.ts
@@ -118,7 +118,7 @@ export class ObservabilityMCP extends McpAgent<Env, State, Props> {
 const ObservabilityScopes = {
 	...RequiredScopes,
 	'account:read': 'See your account info such as account details, analytics, and memberships.',
-	'workers:write':
+	'workers:read':
 		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
 	'workers_observability:read': 'See observability logs for your account',
 } as const