2 min read
Definition
A scope names a capability a token is allowed to exercise. You request scopes when you mint an access token, and the token can do nothing outside them — a call to an out-of-scope capability returns a 403.
In plain terms
The list of things a particular token is permitted to do.
Why it matters here
Scoping narrowly bounds the blast radius of a leaked credential — the heart of least privilege.
Related reading

Access token
An access token is the short-lived bearer JWT you send as Authorization: Bearer on partner calls. You mint it…
Read →
Client-credentials grant
The client-credentials grant is the OAuth 2.0 machine-to-machine flow: a server exchanges a client ID and…
Read →
Least privilege
Least privilege means granting only the minimum access a job needs. Applied here: scope every credential…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.