Skip to main content

Scope Format

Grantex defines a standard scope format:

Examples

How Scopes Work

At registration

When a developer registers an agent, they declare the full set of scopes the agent may ever need:

At authorization

When requesting user consent, the agent specifies which scopes it needs for this particular session. These must be a subset of the registered scopes:

In the grant token

Approved scopes are embedded in the JWT’s scp claim:

At verification

Services check the scp claim to decide whether to allow a request:

Scope Enforcement in Integrations

Protected framework integrations (LangChain, CrewAI, Vercel AI, etc.) first verify the token signature and claims with the configured JWKS endpoint, then enforce the verified scp claim. Current standalone verifiers may fetch JWKS on each invocation; they do not merely trust an unverified decode.
If the token doesn’t include the required scope, the tool throws immediately — before your function runs.

User Experience

Users see plain-language descriptions of scopes during the consent flow, not raw scope strings. Service providers define these descriptions when they register their scope definitions with Grantex.

Scope Registry

For a complete list of standard scope definitions organized by domain (calendar, email, payments, files, and more), along with constraint patterns and custom scope guidelines, see the Scope Registry.
Last modified on July 11, 2026