Ah, solved it. Unlike other places where scopes are specified (for example, when defining a custom social connector), scopes must be separated with a space instead of a comma. I wish Auth0 would give some sort of error from the API when requesting invalid scopes!
1 Like