OAuth Scope Builder

Interactively build ATProtocol OAuth scope strings for your application

1 permission(s)
Include Permission Set

Include a predefined bundle of permissions by NSID

    Restrict this permission set to a specific service
    Add Transition Scope

    Transitional scopes for migrating from password-based authentication

    Note: transition:chat.bsky requires transition:generic to function.
    Add Repository Permission

    Allow record operations on one or more collections

      Add one or more collection NSIDs. Use * for all collections. Press Enter or click + to add.
      Warning: If no actions selected, grants full access (any action allowed)
      Add RPC Permission

      Allow calling specific XRPC methods on remote services

        Add one or more XRPC method NSIDs. Use * for all methods. Press Enter or click + to add.
        Service DID with optional fragment (e.g., #atproto_appview). Use * for any service.
        Note: At least one of LXM or Audience is required. Both cannot be * simultaneously.
        Add Blob Permission

        Allow uploading blobs (media files)

        Add Account Permission

        Access account configuration attributes

        Add Handle Permission

        Access network identity attributes

        Added Permissions

        • atproto Base scope (required for all atproto OAuth sessions)
        Scope Format Reference
        Type Format Example
        Base atproto Required for all atproto OAuth sessions
        Permission Set include:nsid[?aud=...] include:app.bsky.permissions.read
        Repository repo[:collection][?action=...] or
        repo?collection=...&collection=...[&action=...]        		 repo:app.bsky.feed.post?action=create&action=delete
        repo?collection=foo.bar&collection=foo.baz
        Note: Omitting actions grants full access (any action)
        RPC rpc[:lxm][?aud=...] or
        rpc?lxm=...&lxm=...[&aud=...]        		 rpc:app.bsky.feed.getTimeline?aud=did:web:api.bsky.app
        rpc?lxm=foo.bar&lxm=baz.qux
        Blob blob[:accept] blob:image/*
        Account account[:attr][?action=...] account:email, account:repo?action=manage
        Handle identity[:attr] identity:handle, identity:*
        Transition transition:generic, transition:chat.bsky, transition:email Legacy app password equivalent access

        Note: Partial wildcards are NOT supported (e.g., app.bsky.* is invalid). Scopes are space-separated in the final string. See the ATProtocol Permission Spec for full details.

        Lexicon Garden

        @