Extended Scopes
VoxKey supports extended scopes that add additional claims to access tokens and userinfo responses.
Available Extended Scopes
| Scope | Claims | Description | Included by Default |
|---|---|---|---|
roles | roles | User's assigned realm roles | No |
identities | identities | User's linked social and SSO identities | No |
custom_data | custom_data | Custom data stored on the user object (profile_data) | No |
How to Request
Add one or more extended scopes to the scope parameter in your authorization request:
GET /oauth2/{realm}/code?
response_type=code&
client_id=YOUR_CLIENT_ID&
scope=openid profile email roles&
redirect_uri=...
roles Scope
The roles scope returns the user's assigned realm roles as a roles array in both the access token and the userinfo response.
Request: scope=openid roles
Access token claim:
{
"roles": ["admin", "editor"]
}
Userinfo response:
{
"sub": "9",
"roles": ["admin", "editor"]
}
identities Scope
The identities scope returns the user's linked social and SSO provider identities.
{
"identities": [
{ "provider": "google", "identity_id": "123456" },
{ "provider": "github", "identity_id": "789" }
]
}
custom_data Scope
The custom_data scope returns the user's profile_data object as the custom_data claim in both the access token and the userinfo response.
Discovery
The /.well-known/openid-configuration endpoint includes these scopes in scopes_supported, so clients can discover them dynamically.