2025-11 Upcoming Mandatory Scope Parameter
Starting 31 March 2026, all new OAuth authorization requests must include a scope parameter. Requests without the scope parameter will be declined.
What is changing?
Previously, apps could initiate the authorization flow without specifying the scope parameter. From the effective date, any authorization request missing scopes will be declined, ensuring retailers clearly see which permissions an app is requesting.
Why are we making this change?
This update standardizes the authorization flow and improves transparency. By requiring explicit scopes, retailers can make informed decisions about the permissions granted to apps.
Impact
- New connections initiated on or after 2026-03-31 that omit
&scope=will receive anaccess_deniedresponse. - Existing connections established before this date will continue to work as usual.
- Refresh token flows are unchanged.
Required Actions for Integrators
- Identify which API endpoints your app uses and list the corresponding scopes (see scopes documentation).
- Test your app using a token limited to those scopes to confirm all functionality works as expected.
- Update your authorization URLs to include the space-delimited
scopeparameter before 2026-03-31.
Example
❌ Missing scope parameter:
{redirect_uri}?error=access_denied✅ Correct — includes required scope parameter:
https://secure.retail.lightspeed.app/connect?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}&scope=products:read%20sales:read%20customers:readIf you have any questions about this change, please reach out to Support or submit feedback through the Developer Portal.