The error message you're seeing indicates that the OAuth 2.0 client is trying to request a scope that it's not allowed to request. In this case, the problematic scope is 'SPA'. Scopes in OAuth 2.0 are a way to limit an application's access to a user's account. Each scope represents a specific action that the application can perform, such as reading user data or writing a new data. In Ory, when creating an OAuth 2.0 client, you can specify the scopes that the client can request when it requests access tokens. This is done using the

scope

field in the client's configuration. The

scope

field is a string containing a space-separated list of scope values. For example, 'scope1 scope-2 scope.3 scope:4' ([source](https://www.ory.sh/docs/hydra/reference/api)). If you're seeing this error, it's likely that 'SPA' is not included in the list of scopes that the client is allowed to request. You can check the client's configuration by running the following command:

bash ory get oauth2-client {client.id}

This will show you the whole client (excluding its secret). Check that the values are correct, especially the

scope

field ([source](https://www.ory.sh/docs/hydra/debug#refresh-token-flow-fails)). If 'SPA' is not included in the

scope

field, you will need to add it. If you're not sure how to do this, you may need to refer to the documentation for the tool or library you're using to create the OAuth 2.0 client.