LoginWith LoginWith Blog

What is an OAuth scope?

A scope is a string that declares what permissions an access token has — e.g., `read:profile` or `write:posts`.

· LoginWith team

An OAuth scope is a string that identifies a specific permission. When a client requests authorization, it lists the scopes it needs. The user sees them on the consent screen; the authorization server encodes them into the access token.

Example scopes

openid              (OIDC: sign in)
profile             (name, picture)
email               (email address)
read:posts          (app-specific: read posts)
write:posts         (app-specific: create/edit posts)
admin               (app-specific: admin access)

The format isn’t standardized — providers use whatever convention fits. Google uses URL-like scopes (https://www.googleapis.com/auth/calendar), GitHub uses colons (repo:public), OIDC uses simple strings (openid, profile).

Best practice

Request the minimum scopes you need. Users are more likely to approve “read your email” than “full access to everything.” For many B2C products, openid profile email is all you need — anything more triggers extra verification steps from the IdP.

Scope validation

On the resource server, validate that the access token includes the scope required for the endpoint being called:

  • GET /posts — requires read:posts
  • POST /posts — requires write:posts
  • DELETE /workspace — requires admin

Without scope checks, the access token is a master key.

See the full auth glossary for related terms.

Want auth that just works?

Get started with LoginWith