Glossary: ScopesGlossary

Scopes are a mechanism specifying the access privileges or permissions that a client application is requesting on behalf of the end user. They define the range of resources and operations that an application is permitted to perform on behalf of the end user. By specifying scopes, an application can request only the permissions it needs. Scopes are a key part of access tokens in OAuth 2.

When an end user authorizes an application in OAuth 2, they are granting the application access to specific parts of their account as defined by these scopes. Each scope represents a specific level or type of access, allowing granular control over what the application can and cannot do.

Scopes are human-readable strings included within the access token that specify one or more types of access that an application is requesting. They are defined by the resource server (i.e., the API) and represent the permissions that the application calling the API can request.

Here are some examples of OAuth 2 scopes and the privileges or permissions they grant to an application:

• profile: Allows the application to access an end user’s basic profile information (typically their names and photo URL).
• email: Allows the application to access the end user’s email address.
• https://www.googleapis.com/auth/drive: Specific to Google Drive; allows the application to create, read, update, delete, and download files on the end user’s Google Drive account.
• https://www.googleapis.com/auth/drive.readonly: Specific to Google Drive; allows the application to only read and download files on the end user’s Google Drive account.
• repo: Specific to GitHub; allows the application full read and write access to the end user’s public and private repositories, including code, commit statuses, repository invitations, collaborators, deployment statuses, and repository webhooks.
• public_repo: Specific to GitHubl; similar to repo, except full read and write access is limited to the end user’s public repositories.