Grantex defines a standard scope format:
Examples
How Scopes Work
At registration
When a developer registers an agent, they declare the full set of scopes the agent may ever need:
At authorization
When requesting user consent, the agent specifies which scopes it needs for this particular session. These must be a subset of the registered scopes:
In the grant token
Approved scopes are embedded in the JWT’s scp claim:
At verification
Services check the scp claim to decide whether to allow a request:
Scope Enforcement in Integrations
Protected framework integrations (LangChain, CrewAI, Vercel AI, etc.) first
verify the token signature and claims with the configured JWKS endpoint, then
enforce the verified scp claim. Current standalone verifiers may fetch JWKS on
each invocation; they do not merely trust an unverified decode.
If the token doesn’t include the required scope, the tool throws immediately — before your function runs.
User Experience
Users see plain-language descriptions of scopes during the consent flow, not raw scope strings. Service providers define these descriptions when they register their scope definitions with Grantex.
Scope Registry
For a complete list of standard scope definitions organized by domain (calendar, email, payments, files, and more), along with constraint patterns and custom scope guidelines, see the Scope Registry. Last modified on July 11, 2026