What is an OAuth 2.0 scope?

A scope is a string that tells an authorization server which resources and actions an application is requesting permission to access on behalf of the user. The user sees the list of requested scopes on the consent screen and can approve or deny the request. Scopes define the boundary of what a token can do.

Why are Google scopes full URLs while GitHub scopes are short words?

There is no universal standard for scope format in OAuth 2.0. Google uses URL-style scope identifiers because they are globally unique and unambiguous across the many Google APIs. GitHub chose short readable tokens. Both are valid OAuth 2.0 scopes. The format is entirely up to the authorization server.

How do I add the scope string to my authorization URL?

Include the URL-encoded scope string as the scope query parameter in your authorization URL. For example: https://accounts.google.com/o/oauth2/v2/auth?scope=openid%20email%20profile. Most OAuth libraries accept the raw space-separated string and handle encoding automatically.

What is the difference between Stripe read_only and read_write?

For Stripe Connect OAuth, read_only grants viewing access to the connected account: payments, customers, refunds, and payouts can be read but not created or modified. read_write adds the ability to create charges, manage customers, issue refunds, and modify payout settings. Always use read_only unless your integration needs to take actions on the account.

Can I request multiple scopes at once?

Yes. OAuth 2.0 allows multiple scopes in a single authorization request by separating them with spaces. All selected scopes are presented to the user on a single consent screen. The resulting access token will carry all the approved permissions.

What happens if I request more scopes than my app needs?

Users may deny your request if the permissions seem excessive relative to what your app does. More importantly, if your access token is compromised, the attacker has all the permissions the token carries. Requesting only what you need limits the blast radius of a credential leak.

What does the URL-encoded version of the scope do?

Spaces in scope strings must be encoded as %20 or + when placed in a URL query string. The tool shows the URL-encoded version for direct use in authorization URLs. If you are using an OAuth client library, it typically handles encoding automatically and you can pass the raw space-separated string.

How do I use the Custom provider?

Select Custom, then type each scope value and click Add. Custom scopes are added with a medium risk rating by default. The generated scope string works the same way as the other providers. This is useful for in-house OAuth servers, internal APIs, or providers not yet listed in the tool.

What is the GitHub repo scope and why is it high risk?

The repo scope grants full read and write access to all repositories, including private ones. It also grants access to commit statuses, deployments, and invitations. It is marked high risk because a leaked token with repo scope can read private code, push malicious commits, and delete repositories. Use public_repo if your app only needs access to public repositories.

Does decoding a scope string require network access?

No. Scope decoding runs entirely in the browser by matching your input against the built-in scope list. No network request is made. This means only scopes defined in the tool are matched, and any provider-specific or custom scopes will appear as unrecognized.

Loading tool...

How to Use OAuth 2.0 Scope Builder

How to Use the OAuth 2.0 Scope Builder

Build Mode

Step 1: Choose a Provider

Select the OAuth provider your app integrates with:

Provider	Notes
Google	Uses full URL scopes such as https://www.googleapis.com/auth/drive
GitHub	Uses short token-style scopes such as repo, read:user
Stripe	Uses two Connect scopes: read_only and read_write
Custom	Enter any scopes manually for non-listed providers

Step 2: Toggle Scopes

Each scope shows:

A human-readable label and description
The actual scope value used in the OAuth request
A risk indicator: low (green), medium (amber), or high (red)

Click a scope row to select or deselect it. Use Select all or Clear all for bulk actions.

Step 3: Copy the Scope String

The generated scope string appears at the bottom once at least one scope is selected. You can copy:

The raw space-separated string (standard OAuth 2.0 format)
The URL-encoded version (for embedding in query strings)

Decode Mode

Paste an existing scope string (space-separated) and the tool will:

Match recognized scopes against the selected provider and explain each one
List any unrecognized tokens separately

Switch to Custom provider to decode non-standard or internal scopes.

Risk Indicators

Level	Meaning
Low	Read-only or limited write access
Medium	Write access to specific resources
High	Admin, full access, or destructive capability

Always request the minimum scopes your app needs. Users are more likely to approve narrow permissions, and fewer scopes reduce your attack surface if credentials are compromised.

Principle of Least Privilege

OAuth scopes are your authorization boundary. Requesting drive:readonly instead of drive means a leaked token cannot modify or delete files. For any app:

Start with the most restrictive scope that lets the feature work
Add broader scopes only when users explicitly unlock advanced features
Never request admin or delete scopes unless the feature genuinely requires them

Frequently Asked Questions

Most Viewed Tools

🔐

TOTP Code Generator

2,924 views

Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.

OAuth 2.0 Scope Builder

How to Use OAuth 2.0 Scope Builder

How to Use the OAuth 2.0 Scope Builder

Build Mode

Step 1: Choose a Provider

Step 2: Toggle Scopes

Step 3: Copy the Scope String

Decode Mode

Risk Indicators

Principle of Least Privilege

Frequently Asked Questions

What is an OAuth 2.0 scope?

Why are Google scopes full URLs while GitHub scopes are short words?

How do I add the scope string to my authorization URL?

What is the difference between Stripe read_only and read_write?

Can I request multiple scopes at once?

What happens if I request more scopes than my app needs?

What does the URL-encoded version of the scope do?

How do I use the Custom provider?

What is the GitHub repo scope and why is it high risk?

Does decoding a scope string require network access?

Most Viewed Tools

TOTP Code Generator

Secret and Credential Scanner

Password Entropy Calculator

Content Security Policy Generator

Screen Size Converter

API Key Hasher

SSH Key Generator

PGP Key Generator

Related Privacy & Security Tools

API Key Hasher

PGP Key Generator

TOTP Code Generator

Password Entropy Calculator

Content Security Policy Generator

SSH Key Generator

Secret and Credential Scanner

PIN Generator

Share Your Feedback