Client credentials flow - Difficulty in linking together Authorization Servers to Applications to Custom Scopes

Apologies for these basic questions but I’m having difficulty in assigning custom scopes to applications. Please see below for my use case, my current Okta configuration, and targeted questions. Thanks in advance.


  • My API resource server has 2 endpoints: GET /foo and GET /bar. I want to use client_credentials flow to secure these endpoints.
  • My client FooClient should have its own clientId-secret. It should only be able to access /foo.
  • My client BarClient should have its own clientId-secret. It should only be able to access /bar.
  • The intention is - whenever the resource server receives an API request, it verifies that the request’s access token contains the appropriate scope. For example, when the resource server receives a request for GET /foo, it verifies that the access token contains the “foo” scope.


  • I am using the default Authorization server (via Security → API). I am able to add a foo scope and a bar scope to this Authorization server.
  • I would like FooClient to have its own clientID-secret, and BarClient to also have its own clientId-secret. I have created 2 applications to try and achieve this (via Applications → Create a new app integration → API Services).
  • However I am not able to assign a custom scope to these applications (e.g. assigning foo scope to FooClient). I am only able to grant a list of pre-existing “Okta API scopes”. I am searching for a way to grant custom scopes to my client applications.


  • Is it possible to grant custom scopes to an application?
  • If so - are you able to provide an overview of how to do this in Okta? Context is machine-to-machine auth.
  • Am I attempting anything out of the ordinary here? I’m not certain on best practices so would appreciate any pointers.


It sounds like you have the API Access Management add-on that allows you to create custom scopes.

You will want to configure an access policy to target each client application separately and specify the scopes as well. You may need to modify or disable the default access policy for the custom authorization server.

1 Like