# 400 错误请求：invalid_scope。请求的作用域无效、未知或格式错误。

- **ID:** `api/oauth2-invalid-scope`
- **领域:** api
- **类别:** auth_error
- **错误码:** `invalid_scope`
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

OAuth2授权请求包含授权服务器未识别或用户未授予的作用域值。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| OAuth 2.0 RFC 6749 | active | — | — |
| Google Identity Platform | active | — | — |
| Auth0 Node.js SDK v3.0 | active | — | — |

## 解决方案

1. ```
   Verify the exact scope names supported by the API provider. For Google OAuth2, use 'openid email profile' instead of 'email profile'. Example: GET https://accounts.google.com/o/oauth2/v2/auth?scope=openid%20email%20profile&...
   ```
2. ```
   Remove any custom or unsupported scopes from the request. Check the provider's documentation for allowed values (e.g., 'read', 'write', 'admin').
   ```
3. ```
   If using incremental authorization, ensure the scope parameter is a space-delimited string, not comma-separated.
   ```

## 无效尝试

- **** — Adding extra scopes without checking server documentation leads to immediate rejection by the authorization server. (80% 失败率)
- **** — Using deprecated scope names (e.g., 'email' vs 'openid email') causes 400 error because the server expects specific format. (70% 失败率)