OAuth scopes are how an app requests permission to create, update, and delete records from a repo, call XRPC methods, or perform certain account management functions. This is critical to how OAuth works and how an app establishes trust with the people using it.
An app can request individual scopes, which tend to correspond to specific Lexicons, XRPC methods, or management actions.
However, requesting many individual scopes tends to be confusing, and requesing blanket permission to a PDS is overly permissive, so apps can bundle permissions together into Permission Sets. Since their introduction in late 2025, permission sets have been the recommended way for apps to manage OAuth permissions. Note that some scopes, such as uploading files or managing an account's email, can not be bundled into a set and must be requested individually.
This tool lets you interactively select the scopes your app requires and generates the appropriate scope string. We've included permission sets for Bluesky as well as many popular apps in the atproto ecosystem; if you'd like to have your apps' permission set included, let us know. You can even provide a link to a specific permission set (either an at:// URL or a link from lexicon.garden) if you are building your own.
A note about security: an OAuth scope is a request from an app, not an explicit grant. The generated scope string is meant for developers to paste into their own OAuth request and permission must still be given by the person using the app. The generated scopes have been tested to work with atproto OAuth, developers are still responsible for requesting only the level of access their app requires.