To request scopes when using the OAuth2 Client Credentials flow with JWT client authentication (i.e., using the client_assertion key), you should include the scope parameter in your POST request to the token endpoint, just as you would with other authentication methods. Here’s how you do it: 1. Generate and sign the JWT with the required claims (

iss

,

sub

,

aud

,

jti

,

exp

, and optionally

iat

), and use it as the value for the client_assertion parameter. 2. Send a POST request to the token endpoint with the following form parameters: -

grant_type=client_credentials

-

client_id=<your-client-id>

-

client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer

-

client_assertion=<your-signed-jwt>

-

scope=<space-separated-scopes>

Example request:

POST /oauth2/token HTTP/1.1 Host: <http://your-project.projects.oryapis.com|your-project.projects.oryapis.com> Content-Type: application/x-www-form-urlencoded  grant_type=client_credentials& client_id=the-client-id& client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer& client_assertion=<signed-jwt>& scope=read write

The

scope

parameter is included in the body of the request, not inside the JWT itself. This is the standard way to request specific scopes for the access token you want to obtain using the client credentials flow with JWT authentication. The Ory documentation provides a code example for this flow, where the

scope

is set as a parameter in the request body alongside the other required parameters[JWT Bearer profile for OAuth2 client authentication](https://www.ory.sh/docs/oauth2-oidc/client-credentials#jwt-bearer-profile-for-oauth2-client-authentication). If you omit the

scope

parameter, the behavior will depend on your Ory Hydra configuration—by default, no scopes are granted unless configured otherwise. Summary: Add the

scope

parameter to your token request body when using JWTs in the

client_assertion

key for OAuth2 client credentials flow. The JWT itself does not need to contain the scopes; they are requested via the form parameter.

To request an audience when using the OAuth2 Client Credentials flow with JWT client authentication (using the

client_assertion

key), you should include the

audience

parameter in the POST body of your

/oauth2/token

request. The value should be the intended audience(s) for the access token. Example request:

POST /oauth2/token HTTP/1.1 Host: <http://your-project.projects.oryapis.com|your-project.projects.oryapis.com> Content-Type: application/x-www-form-urlencoded  grant_type=client_credentials& client_id=the-client-id& client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer& client_assertion=<signed-jwt>& audience=<https://api.my-cloud.com/user>

You can specify multiple audiences by providing a space-separated list in the

audience

parameter. The Ory documentation confirms that, for the Client Credentials Grant, the

audience

parameter from the POST body is decoded and validated according to the rules for audiences in OAuth2, and is not part of the JWT itself. The JWT's

aud

claim should identify the authorization server (the token endpoint), not the resource server(s) you want the access token for. The

audience

parameter in the request body is what determines the audience of the issued access token [Audiences in Client Credentials Grant](https://www.ory.sh/docs/hydra/guides/audiences#audiences-in-client-credentials-grant). Summary: - Add the

audience

parameter to your token request body to request a specific audience for the access token. - The

aud

claim in the JWT is for the authorization server (token endpoint), not the resource server(s). - The

audience

parameter in the request body is what Ory uses to set the audience of the issued access token.