Thanks for the comments. I am not sure if we can make the scope mandatory. But, you can define multiple OAuth clients with different scopes to restrict what all APIs a specific client can access. This particular example is based on client_credentials flow which is mainly used for Client App to API communication. If you want to restrict the API access based on the logged in user’s permissions, then it is better to use some user specific attribute like roles or group membership to protect the APIs.