If you're using OAuth authentication, you should only need to request the contacts scope. If you're using your API key, you shouldn't have any permission issues at all (since an API key includes access to all APIs available to a portal). Keep in mind that you'll need to replace demo with the API key you pull from your own portal: