Thanks for the comments. I am not sure if we can make the scope mandatory. But, you can define multiple OAuth clients with different scopes to restrict what all APIs a specific client can access. This particular example is based on client_credentials flow which is mainly used for Client App to API communication. If you want to restrict the API access based on the logged in user’s permissions, then it is better to use some user specific attribute like roles or group membership to protect the APIs.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store