OAuth2 scope: api:read

Source: Per-app

Description

Example custom scope, read access to your API.

Requesting this scope

In the authorization URL:

GET /oauth2/auth?
  &scope=api:read
  ...

Multiple scopes are space-separated.

Granting access

A client only receives this scope if it's on the client's allowed scope list. Configure in Athena → OAuth2 Clients → your client → Allowed Scopes.

Checking in your backend

The access token's scope claim contains the granted scopes:

const granted = info.scope?.split(" ") ?? [];
if (!granted.includes("api:read")) return 403;

Related

• Cookbook, Add OAuth2 scope
• Cookbook, Map roles to scopes
• Integrate, OAuth2 overview