Which OAuth scopes should I grant for Tailscale Docker container after scopes update?

[NikMAX2077]

After the recent update OAuth scopes have changed. The information in the guide is now outdated.
If I set all 4 permissions in the Devices category to write this is still not enough. Container crashes with an error:
Status: 403, Message: "calling actor does not have enough permissions to perform this function".
I guess I need to grant some other permissions outside the Devices block, but the guide doesn't say anything about that.

[rocode]

It appears that the new scope requirements are Devices Core and Auth Keys write scopes, and the tag set to the same one as in the TS_EXTRA_ARGS environment variable in your compose.yaml.