#ZegnatRight now, scope is actually supported. It is shown to the user, and the user can accept them. The code issued by selfauth is signed with the secret, so a different token endpoint with the same secret can validate it and will then know that the user accepted whatever scope was asked for.