OAuth Scope Decoder

Paste a space-separated list of OAuth scopes, get a plain-English breakdown of what each one grants. Recognized providers: Google Workspace / Cloud APIs, GitHub OAuth Apps, Microsoft Graph. Helpful when reviewing an OAuth consent screen or auditing an app's permissions.

How to use the OAuth Scope Decoder

Paste the scope string (typically from a URL parameter, an OAuth consent screen URL, or an app's documentation). Each scope is matched against a known list and described in plain English.

Reading what OAuth scopes grant

OAuth scopes are the permissions an app requests when you sign in with Google, GitHub, or Microsoft. They arrive as a space-separated string — repo user:email read:org or a set of long Google API URLs — and the token decides exactly what the app can touch. The trouble is that the strings are terse and provider-specific, so it is easy to approve more access than you realize. Google's drive scope grants every file, where drive.file grants only files the app itself created.

This decoder matches each scope against a known list for the three big providers and explains it in plain language, so you can read a consent screen or audit an integration's permissions at a glance. It is a reference and review aid, not an authorization step — it reads scopes, it does not request or grant anything.

Common use cases

  • Reviewing a consent screen — understand what an app is asking for before you click allow.
  • Security audits — check whether an integration requests more scope than it needs.
  • Least-privilege design — pick the narrowest scope that does the job when building your own OAuth app.
  • Debugging permission errors — confirm a failing API call is covered by the scopes the token actually holds.
  • Documentation — turn a raw scope list into a readable description for a runbook or security review.

Frequently asked questions

Where do I find the scopes an app requested?

They appear in the authorization URL as the scope parameter, on the provider's consent screen, and usually in the app's own settings or documentation. Copy that space-separated string in here.

What is the difference between Google's drive and drive.file scopes?

The drive scope grants access to all of a user's Drive files; drive.file limits the app to files it created or that the user explicitly opened with it. The narrower one is strongly preferred where it suffices.

Do openid, profile, and email do anything sensitive?

Those are the standard OpenID Connect identity scopes: openid enables OIDC, profile shares basic profile fields, and email shares the address. They are about identifying the user, not accessing their data, and are generally low-risk.

Can this tool revoke or change my granted permissions?

No. It only explains scope strings. To revoke access you use the provider's account security settings — Google, GitHub, and Microsoft each have a page listing authorized apps.
Embed this tool on your site

Free to embed, no attribution required (but appreciated). Paste this where you want the tool to appear: