Auth0 Home Blog Docs

What is the difference between scopes and permissions?

Question: What is the difference between scopes and permissions?

Answer:

What are scopes?

From the OAuth2 spec:

The authorization and token endpoints allow the client to specify the
scope of the access request using the “scope” request parameter. In
turn, the authorization server uses the “scope” response parameter to
inform the client of the scope of the access token issued.

The value of the scope parameter is expressed as a list of space-
delimited, case-sensitive strings. The strings are defined by the
authorization server. If the value contains multiple space-delimited
strings, their order does not matter, and each string adds an
additional access range to the requested scope.

When requesting the token, ‘scope’ is used to indicate what resources the client would like to access.

In the token, ‘scope’ indicates what resources the token is allowed to access.

What are permissions?

Permissions are not as narrowly defined in the OAuth spec, and are often used in first party scenarios when the API trusts the client. They are used to indicate the user’s permissions and are not necessarily defining what the client can do on behalf of the user.

Permissions can be toggled on in the API settings here:

Supporting Documentation:

Documentation: Add Permissions, API Scopes, Scopes
Community Topic: Permissions: claim or scopes