Create API access scopes

Scopes represent high-level operations performed against your API endpoints. Applications request these scopes from the authorization server. The server access policy decides which scopes to grant and which ones to deny.

All authorization servers have several reserved scopes. You can add others as needed by your applications.

  1. In the Admin Console, go to SecurityAPI.

  2. Click the name of the authorization server, and then select Scopes.
  3. Click Add Scope.
  4. Enter a name and description.
  5. Select a User Consent option:
    • Implicit: The default setting. The user isn't asked to grant the app access to the information. The user's consent is implied for this scope.
    • Optional: The user can skip accepting this scope when they see the consent screen on the Sign-In Widget.
    • Required: User consent is required for this scope, and users may not change their consent option.
  6. Optional. If you select the Optional or Required option for User Consent, clear the Block services from requesting this scope checkbox.
  1. Select Set as a default scope if you want to allow Okta to grant authorization requests to apps that don’t specify scopes on an authorization request.

    If the client omits the scope parameter in an authorization request, Okta returns the access token with all of the default scopes permitted by the access policy rule.

  2. Select Include in public metadata to include this scope in public metadata.
  3. Click Save.

These scopes are referenced by Claims.

If you create an app that uses the User Consent for OAuth 2.0 and OpenID Connect Flows feature, set the User Consent option to Implicit or Required for the scope.