OAuth Scope Decoder
Paste a space-separated list of OAuth scopes, get a plain-English breakdown of what each one grants. Recognized providers: Google Workspace / Cloud APIs, GitHub OAuth Apps, Microsoft Graph. Helpful when reviewing an OAuth consent screen or auditing an app's permissions.
How to use the OAuth Scope Decoder
Paste the scope string (typically from a URL parameter, an OAuth consent screen URL, or an app's documentation). Each scope is matched against a known list and described in plain English.
Reading what OAuth scopes grant
OAuth scopes are the permissions an app requests when you sign in with Google, GitHub, or Microsoft. They arrive as a space-separated string — repo user:email read:org or a set of long Google API URLs — and the token decides exactly what the app can touch. The trouble is that the strings are terse and provider-specific, so it is easy to approve more access than you realize. Google's drive scope grants every file, where drive.file grants only files the app itself created.
This decoder matches each scope against a known list for the three big providers and explains it in plain language, so you can read a consent screen or audit an integration's permissions at a glance. It is a reference and review aid, not an authorization step — it reads scopes, it does not request or grant anything.
Common use cases
- Reviewing a consent screen — understand what an app is asking for before you click allow.
- Security audits — check whether an integration requests more scope than it needs.
- Least-privilege design — pick the narrowest scope that does the job when building your own OAuth app.
- Debugging permission errors — confirm a failing API call is covered by the scopes the token actually holds.
- Documentation — turn a raw scope list into a readable description for a runbook or security review.