We launched new developer portal. For the latest documentation visit developer.cloudentity.com

Protecting data with the use of dynamic scopes

Instructions on how to configure dynamic scopes and use them as an authorization asset

In addition to defining and requesting scopes one-by-one with their explicit names, now ACP enables you to define and request scopes dynamically. Dynamic-scope names are based on a generic form template, for example account.*, where * represents a wildcard allowing multiple scope-name interpretations.


Speed up and facilitate the process of defining scopes by setting up scopes dynamically.


  • You have login credentials to the ACP administrator portal.
  • You have at least one service created in the ACP administrator portal.
  • You have an application created in ACP.

Add scope

  1. In the workspace, select Applications > Services from the sidebar.

  2. In the Services view, select a service that you want to set up a scope for and go to Scopes.

  3. In the Scopes page, select ADD SCOPE.

  4. In step 1 of the New Scope view, enter an OAuth name and a display name for your scope. Next, select Save scope and continue to proceed.

  5. In step 2 of the New Scope view

    • Either select policies to set up criteria for client assignment, consent grant, and machine-to-machine protection and close the wizard with Save scope

    • Or select Skip to omit this step and proceed to the list of scopes with your new scope already included.

Enable scope for an app

  1. In the workspace, go to Applications > Clients.

  2. In the Clients view, select an application that you want to enable the scope for.

  3. In your application view, select the Scopes tab.

  4. In the Scopes tab, select the service that you want to configure and enable your new dynamic scope using the toggle switch.

Check if it works

To test your new dynamic-scope setup

  1. Make sure that your application has a dynamic scope (for example, account.*) enabled.

  2. Make your application request a specific instance of your dynamic scope, for example account.1.


    Make an authorization call to https://localhost:8443/default/default/oauth2/authorize?client_id=bu27qd10vc42d9kkisp0&redirect_uri=https://example.com&response_type=token&scope=email%20account.1

  3. Log in to the application.


The consent page opens and shows the application requesting access to dynamic scope account.* resolved to account.1.