Using User Scopes with WP OAuth Server and REST API | WordPress OAuth Codex

Using User Scopes with WP OAuth Server and REST API

Documentation under "How To" for WP OAuth Server


Using User Scopes with WP OAuth Server and REST API

Due to the way the REST API was written, scopes serve little purpose with using the default REST API routes. WordPress simply looks at users permissions via capabilities and processes the request.

WP OAuth Server does store and support scopes as far as listening, storing, and presenting, but it does not limit the requests and information based on scopes at this point in time. Scopes are helpful with needed to limit access to users data and needed in times with custom REST API routes to ensure a greater level of security.

WP OAuth Server comes with a public function that you can use to gather the scopes for a given access token.

wo_public_get_access_token

With this function, you simply pass the access token as the only parameter and it will return all the data about the access token including the scopes.

It is up to the developer for how to use the scopes with any custom API route since scopes are not supported with the REST API currently.