Keys and OAuth API Management

The role of OAuth 2 scopes in API management

The role of OAuth 2 scopes in API management

This article will explore the benefit of using OAuth 2 scopes to manage access to APIs.


OAuth 2 is an open standard for privilege delegation.
The right to use a service is controlled via an “access token.” Access tokens may be freely exchanged between parties, can be revoked at any time and should be short-lived.
Refresh tokens may be provided by a service to allow holders to request new access tokens. Refresh tokens should be securely stored and not leaked to other parties, are generally long-lived and may also be revoked at any time.

The privileges referred to as “scopes” by the standard, which a specific access token bestowed upon a holder is specified during its creation and cannot be modified thereafter.
The scopes which a client may request are specific to the context in which the access token will be used, example scenarios could be implementing separation of privilege or limited time privilege escalation.

OAuth 2 scopes provide a mechanism for a client to request specific permissions, examples could be read or write access to data or the ability to create or delete data. A client cannot exceed the permissions granted to it by the access token.


Due to its versatility and the power of scopes to specify and enforce access controls, OAuth 2 has found favor with social network API providers such as Facebook and LinkedIn as well as cloud service providers such as Microsoft, Google and Amazon.
Additionally, commercially available API Management solutions all utilize OAuth 2 as the mechanism by which to control access to the APIs they expose, a user must present a valid access token in order to call an API method.


At design time, when exposing an API via an API Manager, the API publisher will have the opportunity to specify whether one or more scopes should be applied to a particular method in order to control access to that API method.

If the publisher chooses to attach scopes to an API method then all of the specified scopes must be present in the access token of an API consumer in order to be allowed to call that method.
This requirement will be enforced at runtime by the API Manager.

Click here to read the full article from SmartWave.