Differences between Scopes and Permissions

Last Updated: Oct 2, 2024

Overview

This article provides details about the differences between scopes and permissions.

Applies To

  • Scopes
  • Permissions

Solution

What are scopes?

From the OAuth2 spec 29:

The authorization and token endpoints allow the client to specify the
scope of the access request using the “scope” request parameter. In
turn, the authorization server uses the “scope” response parameter to
inform the client of the scope of the access token issued.

The value of the scope parameter is expressed as a list of space-
delimited, case-sensitive strings. The strings are defined by the
authorization server. If the value contains multiple space-delimited
strings, their order does not matter, and each string adds an
additional access range to the requested scope.

When requesting the token, ‘scope’ is used to indicate what resources the client would like to access.

In the token, ‘scope’ indicates what resources the token is allowed to access.

What are permissions?

Permissions are not as narrowly defined in the OAuth spec, and are often used in first party scenarios when the API trusts the client. They are used to indicate the user’s permissions and are not necessarily defining what the client can do on behalf of the user.

Permissions can be toggled on in the API settings here:

Related References