Scopes

Scopes are the space-separated permission strings a client sends in the scope parameter when requesting authorization. LumoAuth displays the requested scopes on the consent screen so the user knows what access they are granting. A token is issued only for the intersection of requested scopes and scopes the client is allowed to request.

Standard OIDC Scopes

Scope	Claims returned
`openid`	`sub` — required for all OIDC flows
`profile`	`name`, `given_name`, `family_name`, `picture`, `locale`, `updated_at`
`email`	`email`, `email_verified`
`phone`	`phone_number`, `phone_number_verified`
`address`	`address` object
`offline_access`	Issues a `refresh_token`

LumoAuth Extension Scopes

Scope	Description
`roles`	Include the user's roles in the ID token and UserInfo response
`groups`	Include the user's groups
`permissions`	Include the user's granted permissions

Custom Scopes

Create organization-specific scopes in the portal (Settings → Scopes) or via the admin API:

GET|POST|DELETE /orgs/{orgId}/api/v1/admin/scopes

Create a Custom Scope
curl -X POST https://app.lumoauth.dev/orgs/acme-corp/api/v1/admin/scopes \
  -H "Authorization: ApiKey lmk_abc123" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "read:reports",
    "description": "Read access to financial reports",
    "isDefault": false
  }'

Custom scopes must be explicitly allowed per OAuth client.

Requesting Scopes

Include scopes as a space-separated list in the scope parameter:

scope=openid profile email roles read:reports

LumoAuth grants only the intersection of requested scopes and scopes allowed for the client. The scope field in the token response reflects what was actually granted.

OAuth Clients — configure per-client allowed scopes
Token formats — how granted scopes appear in tokens

Standard OIDC Scopes​

LumoAuth Extension Scopes​

Custom Scopes​

Requesting Scopes​

Related​

Standard OIDC Scopes

LumoAuth Extension Scopes

Custom Scopes

Requesting Scopes

Related