Oauth - Scope from a access request (Access Token|Grant)


The scope define the scope from a access request (ie from an access token or grant)

Scopes are used to grant an application (client) different levels of access to data on behalf of the end user (owner).

Each authorization server may declare one or more scopes.


This is the scope that Google Drive is asking when you are connecting to their service.

scope=email openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/docs.test https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/drive.photos.readonly https://www.googleapis.com/auth/peopleapi.readonly https://www.googleapis.com/auth/meetings https://www.googleapis.com/auth/drive.activity.readonly https://www.googleapis.com/auth/experimentsandconfigs https://www.googleapis.com/auth/photos.native

If you use it in a URL, you need to encode it (ie the space should become %20)


The value of the scope is expressed as a list of space-delimited, case-sensitive strings.

The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.

scope  := 'scope-token' ( 'SP'  scope-token )*
scope  := 'scope-token' ( 'SP'  scope-token )*
scope-token  := ( '%x21' / '%x23-5B' / '%x5D-7E' )+
scope-token  := ( '%x21' / '%x23-5B' / '%x5D-7E' )+

where: scope-token can be composed from the following ASCII characters in hexadecimal:

  • x21. ie !
  • x23-5B ie # to [
  • x5D-7E ie ] to~

The authorization server SHOULD document its scope requirements and default value (if defined).



The client can specify the scope of the access request at:

The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.

If the client omits the scope parameter when requesting authorization, the authorization server MUST either:

  • process the request using a pre-defined default value
  • or fail the request indicating an invalid scope.


In turn, the authorization server (ie authorization endpoint and token endpoint) uses the scope response parameter to inform the client of the scope of the access token issued.


If the issued access token scope is different from the one requested by the client, the authorization server MUST include the scope response parameter to inform the client of the actual scope granted.

Documentation / Reference

Powered by ComboStrap