Overly broad scopes and long-lived access tokens

8/10 High

Teams define scopes too broadly (e.g., `full_access`, `admin_all`) and issue access tokens valid for hours or days instead of minutes, dramatically increasing the blast radius if a token is stolen.

OAuth 2.0

Sources

https://treblle.com/blog/oauth-2.0-for-apis
https://duendesoftware.com/learn/7-common-security-pitfalls-oauth-2-0-implementations

Collection History

Query: “What are the most common pain points with OAuth 2.0 for developers in 2025?”3/31/2026

Overly broad scopes and long-lived access tokens are a gift to attackers... A stolen token with `full_access` and a long lifetime is effectively a roaming admin credential... Issue short-lived access tokens and rely on refresh tokens or re-auth for longer sessions.

Created: 3/31/2026Updated: 3/31/2026