So, my understanding from the client credentials oauth2 flow (Client Credentials - OAuth 2.0 Simplified) is that a scope may be provided during the credentials exchange.
The access_token that is returned includes the scopes that are available to the M2M client, whether or not I request those scopes.
For example, let’s say I create a client-id that has scopes:
read:admin
write:admin
When I request an access token from https://test.stytch.com/v1/public/{projectId}/oauth2/token, the token that is returned includes all the scopes, even if I only requested one or none
The expected behavior here is for only the scopes that you request via the scope parameter in your Get access token call to be granted to the resulting access token. If you do not specify the scope parameter, then all scopes belonging to the client will be granted to the resulting access token.
It sounds like something unexpected is happening here, where perhaps the scope parameter isn’t being read or honored correctly. Would you mind sharing a code snippet of one of your Get access token requests (with any sensitive values redacted) where you saw this happen? The resulting request_id would be helpful as well.