OAuth supported scopes

Aymeri_Germain · August 7, 2025, 4:07pm

Hello everyone !

I am setting up a remote MCP server and I am currently having a problem trying to define custom scopes for Role Based Access Control (RBAC).

I created 2 scopes called “mcp:access” and “mcp:tools”.
On the RBAC Policy page on the Stytch Dashboard, I have the following scopes :

“openid”,
“profile”,
“email”,
“phone”,
“offline_access”,
“mcp:access”,
“mcp:tools”

So I have 7 scopes on the dashboard : 5 built-in scopes + 2 custom scopes.

Yet, these 2 new custom scopes are not advertised on the /.well-known/oauth-authorization-server route of my stytch project.

During the OAuth 2.0 flow, this route is supposed to tell to the OAuth Client what are the supported scopes. But instead of getting all scopes (built-ins + custom), I only get the built-in ones:

When I request :

https://<my-stytch-project-link>/.well-known/oauth-authorization-server

I get this answer :

{ …

… "scopes_supported":["openid","profile","email","phone","offline_access"], …

… }

As you can see, the 2 custom scopes do not appear.
Consequently, my OAuth Client (Claude) asks only for the built-in scopes during the authorization request.

Am I misunderstanding something or it’s on Stytch’s side ?

Thank your for your answers !

matt-stytch · August 7, 2025, 5:57pm

Hi Aymeri,

Thanks so much for posting and for flagging this!

This does look to be a bug - you’re correct that custom scopes should show up at .well-known/oauth-authorization-server, and it looks like they’re not.

Our team is investigating this and we’ll follow up here with updates!

matt-stytch · August 7, 2025, 6:33pm

The fix for this is out!

Sorry about that - we just this week rolled out support for RBAC (and by extension custom scopes) for our Consumer API. Previously they were only available in our B2B API, and we just had to make a small change to make sure .well-known/oauth-authorization-server broadcasts custom scopes for Consumer projects as well.

Thanks again for flagging, and let us know if you’re still seeing any issues or if you have any other questions!

Aymeri_Germain · August 7, 2025, 7:34pm

Amazing, thank you so much for the quick fix !
Aymeri

Topic		Replies	Views
Advertised Connected Apps scopes are not valid Questions oauth	3	45	August 7, 2025
Scope is already provided, even when not requested, for M2M access token Questions api	1	344	December 6, 2023
Authorization product Feature requests	1	547	February 16, 2023
B2B NextJS Example Discrepancy Questions oauth , api	1	433	September 26, 2023
Multiple oAuth - same provider same domain Questions oauth	2	530	October 20, 2023

OAuth supported scopes

Related topics