---
title: Scopes
---

# Scopes

Scopes are space-separated values in the `scope` parameter of `/oidc/authorize`. They control which claims appear in the `id_token` and userinfo response, and which permissions the access token grants.

## Standard OIDC scopes

| Scope | Grants |
|---|---|
| `openid` | **Required** for any OIDC flow. Returns `sub`, `iss`, `aud`, `exp`, `iat`, `auth_time`, `nonce`. |
| `profile` | `name`, `given_name`, `family_name`, `picture`, `locale`, `updated_at`. |
| `email` | `email`, `email_verified`. |
| `phone` | `phone_number`, `phone_number_verified`. |
| `address` | `address` object. |
| `offline_access` | Issues a `refresh_token` so you can renew without user interaction. |

## Little X Little custom scopes

| Scope | Grants |
|---|---|
| `lxl.access` | The `lxl.access` claim — array of `"Section:Subsection"` permission strings for the current app. |
| `lxl.app` | The `lxl.app` claim — current NGO app code. Implied by `lxl.access`. |
| `lxl.master` | The `lxl.master` claim — `true` if the user is a master administrator on this app. |
| `lxl.role` | The `lxl.role` claim — branch + position string. |
| `lxl.links` | The `lxl.links` claim — array of linked external providers. |

## Best practices

- **Request the minimum.** Only ask for `email` if you'll send mail; only ask for `profile` if you'll display a name.
- **Add `offline_access` only when needed.** It makes long-lived tokens — protect them.
- **Combine `openid` with at least one of `profile` / `email`** — `openid` alone gives you only an opaque `sub`.