The Importance of Scopes in APIs

Every call to an API should be accompanied with an access token unless it's a public API. And that is just a commonization of kind of good security principles across the whole domain. So you can then, in the way that I've aligned atomic architecture with OAuth too, is that I say that a scope is really just a set of operations that you're allowed to do. But there are plenty of other ways of making these kind of access control decisions.