Create API access scopes

Scopes represent high-level operations performed against your API endpoints. Applications request these scopes from the authorization server. The server access policy decides which scopes to grant and which ones to deny.

All authorization servers have several reserved scopes. You can add others as needed by your applications.

  1. In the Admin Console, go to Security > API.

  2. Click the name of the authorization server, and then select Scopes.

  3. Click Add Scope.

  4. Enter a name and description.

  5. Check User Consent to require user consent for this scope.

  6. Optional. If you select User Consent, clear the checkbox for Block services from requesting this scope.

    If cleared, then consent is required when a user is interacting with an application, but not when a service application directly requests the scope. For more information, see Flexible consent.

  1. Select Default scope if you want to allow Okta to grant authorization requests to apps that don’t specify scopes on an authorization request.

    If the client omits the scope parameter in an authorization request, Okta returns the access token with all of the default scopes permitted by the access policy rule.

  2. Click Save.

These scopes are referenced by Claims.

If you create an app that uses the User Consent for OAuth 2.0 and OpenID Connect Flows feature, set the User Consent to Yes for the scope.