I am implementing a consent endpoint to integrate Hydra. – When getting the consent request via the Hydra backend API, is the requested_scope already checked by hydra or is it possible that it consists scopes that should not be allowed for the OAuth client?

Hm good question, just by going in the flow graphic in https://www.ory.sh/hydra/docs/next/concepts/consent/ i would say the end user first gets redirected and then consent info (including requested_scopes) gets fetched from hydra. you may need to make sure that the client is allowed to request the scopes in the consent endpoint, but I am not 100% certain, will let you know if I have more certainty.

Thank you.