OAuth scopes allow users to grant permission for third-party applications to access data held by an organization. Scopes are essential in ensuring proper security and consent around data access, especially as APIs become more prevalent and agentic AI grows. To design effective scopes, organizations should consider the needs of both external developers and end-users. Scopes should be specific to business offerings, well-defined, and not too granular or broad. They should also be used in conjunction with roles for a more comprehensive authorization system. The organization running the platform holding the data defines the meaning of each scope, which can include resources, operations, and hierarchical structures. When designing scopes, it's essential to consider versioning, deprecation, and the impact on third-party developers who will use them. Organizations should also document their scopes clearly, provide examples, and test their implementation thoroughly. Scopes are a critical component of OAuth and can significantly enhance user experiences by allowing developers to request data and functionality in a standardized way.