Quiz Entry - updated: 2026.07.14
What do the client_id, audience, and scope parameters specify in an OAuth authorization request?
client_id identifies which app is asking, audience names which API the token is for, and scope lists the specific permissions being requested.
These three parameters define who's asking, for access to what, and how much:
| Parameter | Meaning |
|---|---|
client_id |
Public identifier of the app, pre-registered at the authorization server. Tells the AS which application this is. |
audience |
The intended recipient/API of the resulting access token — which resource server it's good for. |
scope |
The set of permissions requested (e.g. read:profile, email). Defines what the app may do with the user's data. |
The client_id is not secret — it's baked into the app's JavaScript. The secret half is the client_secret, used later in the back-channel token exchange.
Tip: Scopes are why a consent screen can say "This app wants to: see your email and read your contacts" — each line is one requested scope.
Go deeper:
oauth.net: Scopes — how scope limits an app's access and drives the consent screen.
RFC 6749 §1.1 — OAuth roles — grounds client_id/audience in the client and resource-server roles.