It seems I can send messages only in case the scope ALL is assigned. If I limit the permissions of the bot to READ_CONVERSATIONS only it is failing with:
{"name":"app","hostname":"ldap-01-fth01ti-de","pid":1740,"level":50,"msg":"[APP]: { [Error: Internal error with Client Credentials Grant authentication]\n code: 'SDK_ERROR',\n message: 'Internal error with Client Credentials Grant authentication',\n stack: 'Error\n at Error (native)\n at Error.circuit.Error (/home/ldapuser/bin/node_modules/circuit-sdk/circuit.js:309:22)\n at /home/ldapuser/bin/node_modules/circuit-sdk/circuit.js:46269:32\n at process._tickCallback (node.js:438:9)' }","time":"2018-07-24T08:14:27.930Z","v":0}
Are these scopes supposed to be used to limit the bots capabilities in case Grant Type CLIENT_CREDENTIALS is used?
To send messages you need the scope "WRITE_CONVERSATIONS" or "ALL".
For IMPLICIT and AUTHORIZATION CODE grant types, the requested scopes are shown to the user in the OAuth permission popup.
Correct, for CLIENT CREDENTIALS grant type these scopes limit the bot capabilities.
Each JS SDK API lists the scopes that allow the API call. E.g. see addTextItem which requires "WRITE_CONVERSATIONS" or "ALL".