OAuth Scope.
A string that specifies what permissions the client is requesting on behalf of the user, surfaced as the consent screen's permission list.
For AI agents specifically, fine-grained scopes are the structural protection against agent abuse. Generic read:everything scopes give the agent more capability than the user intended; per-capability scopes (read:calendar:next-7-days, send:email:requires-confirmation) let the user grant exactly what's needed.
Common questions
How do I design OAuth scopes?
What scopes should I request?
Are OIDC scopes the same as OAuth scopes?
Related terms
In the guides
AI Agent Identity and MCP: Authenticating Non-Human Identities
How CIAM evolves for AI agents in 2026: MCP, OAuth 2.1 Dynamic Client Registration, scoped agent tokens, and patterns separating agent from human identity.
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.