What Are OAuth 2.0 Scopes and How Do They Work?

TL;DR OAuth 2.0 scopes are permission strings that define what an access token can do. Use the format resource:action , such as pets:read or orders:write . Request scopes during authorization, and validate them on your API endpoints. Modern PetstoreAPI implements scopes for read/write access to pets, orders, and user data. Try Apidog today Introduction A third-party app wants to read your pet store’s inventory. Should it have full access to create orders, delete pets, and manage users? No—it should only read inventory. OAuth 2.0 scopes solve this: scopes define what permissions an access token has. For example, the app requests the inventory:read scope, and your API only returns data if the access token includes this scope. Modern PetstoreAPI implements granular scopes for all resources: pets, orders, inventory, and users. If you’re testing OAuth APIs, Apidog helps you test scope validation and authorization flows. What Are OAuth 2.0 Scopes? Scopes are permission strings included in OA