Create Client Grant for client with non-existing Scope

Hello everyone,

I have a question about the Scopes management in Auth0. Unfortunately, I couldn’t find the exact answer in the documentation.

I’m trying to grant a scope for a specific client using Management API. However, I stumbled upon the fact, that It’s possible to assign a scope to a client, that doesn’t exist in an API.

Here is my setup:

I use this Management API (Auth0 Management API v2) to create a client grant:

POST /api/v2/client-grants

{
  "client_id": "1234567890",
  "audience": "https://my-api.example.com",
  "scope": [
    "non-existing-scope"
  ]
}

In the example above, I can create a Grant and afterward request the “non-existing-scope” scope:

curl --request POST \
  --url 'https://auth0/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=1234567890 \
  --data client_secret=<SECRET> \
  --data scope=non-existing-scope \
  --data audience=https://my-api.example.com

The non-existing-scope scope will be present in the access_token.

Why does the Management API allow creating a client grant with a scope that is not defined in the API? Or why will this scope not be present in the Auth0 Dashboard among other permissions?

Thank you very much in advance!