Auth0 Home Blog Docs

Limit for number of scopes per API

Does anyone know the limit for number of scopes which can be defined to one API?

I want to define a scope per user group, and the number of user group could reach to a big number. and wondering if there is any limit I should take into account.

Hey there @j.makishi!

Let me ask internally so I can provide you with accurate info!

In our doc on scopes there is no info about the limit:

Will followup as soon as I get something.

1 Like

Hi @j.makishi.

There’s no documented limit for the number of scopes that you can add to an API definition. If the scopes you are providing will be dynamically requested/added and you don’t need a consent for them, you can add a scope in a rule without it being previously defined for the API.

In terms of the number of scopes that can actually be included in a token, you might be bound by the size of the JWT token when used in the Authorization header (the HTTP protocol doesn’t define any limit either, but most web servers enforce 8-16 KB).

Are you planning to use the scope in the OAuth2 concept, where an application specifies the level of access it requires (e.g. “For this user, I want access to their resources in group A”), or as a mean of conveying permissions information in the token (“this user belongs to group A, B and C”)?

If the later, you might be better served by a different claim (e.g. https://yourcompany.com/claims/groups), as scopes should carry the level of access granted to the application in the token. See https://auth0.com/blog/on-the-nature-of-oauth2-scopes/ for a great post on that.

Hope this helps.

1 Like

hi @nicolas_sabena

Thank you very much for the kind answer.
I was looking for a definition limit (precisely, limit of number of scopes for /resource_servers), and didn’t know it can be dynamically added in a rule. Looks it is a preferable option to us, I will try it out.

My use case is “For this user, I want access to their resources in group A”, and each JWT only has one scope “group A”. I am thinking to split my API server to per group base serverless function, and it would be simpler if each function only needs to verify a group in the scope.

Thanks!

1 Like