# 400 Bad Request: invalid_scope. The requested scope is invalid, unknown, or malformed. - **ID:** `api/oauth2-invalid-scope` - **Domain:** api - **Category:** auth_error - **Error Code:** `invalid_scope` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause OAuth2 authorization request includes a scope value not recognized by the authorization server or not granted by the user. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | OAuth 2.0 RFC 6749 | active | — | — | | Google Identity Platform | active | — | — | | Auth0 Node.js SDK v3.0 | active | — | — | ## Workarounds 1. **Verify the exact scope names supported by the API provider. For Google OAuth2, use 'openid email profile' instead of 'email profile'. Example: GET https://accounts.google.com/o/oauth2/v2/auth?scope=openid%20email%20profile&...** (95% success) ``` Verify the exact scope names supported by the API provider. For Google OAuth2, use 'openid email profile' instead of 'email profile'. Example: GET https://accounts.google.com/o/oauth2/v2/auth?scope=openid%20email%20profile&... ``` 2. **Remove any custom or unsupported scopes from the request. Check the provider's documentation for allowed values (e.g., 'read', 'write', 'admin').** (90% success) ``` Remove any custom or unsupported scopes from the request. Check the provider's documentation for allowed values (e.g., 'read', 'write', 'admin'). ``` 3. **If using incremental authorization, ensure the scope parameter is a space-delimited string, not comma-separated.** (85% success) ``` If using incremental authorization, ensure the scope parameter is a space-delimited string, not comma-separated. ``` ## Dead Ends - **** — Adding extra scopes without checking server documentation leads to immediate rejection by the authorization server. (80% fail) - **** — Using deprecated scope names (e.g., 'email' vs 'openid email') causes 400 error because the server expects specific format. (70% fail)