It sounds like you have the API Access Management add-on that allows you to create custom scopes.
You will want to configure an access policy to target each client application separately and specify the scopes as well. You may need to modify or disable the default access policy for the custom authorization server.