Hi @j.makishi.
There’s no documented limit for the number of scopes that you can add to an API definition. If the scopes you are providing will be dynamically requested/added and you don’t need a consent for them, you can add a scope in a rule without it being previously defined for the API.
In terms of the number of scopes that can actually be included in a token, you might be bound by the size of the JWT token when used in the Authorization header (the HTTP protocol doesn’t define any limit either, but most web servers enforce 8-16 KB).
Are you planning to use the scope in the OAuth2 concept, where an application specifies the level of access it requires (e.g. “For this user, I want access to their resources in group A”), or as a mean of conveying permissions information in the token (“this user belongs to group A, B and C”)?
If the later, you might be better served by a different claim (e.g. https://yourcompany.com/claims/groups
), as scopes should carry the level of access granted to the application in the token. See On The Nature of OAuth2’s Scopes for a great post on that.
Hope this helps.