<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Authorization Error Occurs Stating Custom Scopes Are Not Allowed For This Request
Apr 24, 2026
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

When an application passes a custom scope to the Okta Org Authorization Server, Okta generates an authorization error because the Org Authorization Server does not support custom scopes. To resolve this issue, configure the application to use a Custom Authorization Server, which requires the API Access Management (API AM) feature. Okta returns the following error to the callback route during the authorize request:

 

error=invalid_scope&error_description=Custom scopes are not allowed for this request

 

Additionally, Okta logs an event in the System Log containing the following failure reason:

 

Custom scopes are not allowed for this request

 

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • API Access Management (API AM)
  • Custom Authorization Server
  • OAuth 2.0/OpenID Connect (OIDC)
Cause

The Okta Org Authorization Server (https://<okta_domain>/oauth2/v1/authorize) only supports Okta-defined scopes and does not support custom scopes. Passing a custom scope to the Org Authorization Server results in an error. Only a Custom Authorization Server supports custom scopes.

Solution

To fix this error, configure the application to use a Custom Authorization Server instead of the Org Authorization Server. The default Custom Authorization Server URL is https://<okta_domain>/oauth2/default/v1/authorize.

If using a specific Custom Authorization Server, the URL format is https://<okta_domain>/oauth2/<custom_authorization_server_id>/v1/authorize.

 

NOTE: Custom Authorization Servers require the API Access Management (API AM) feature. If the Authorization Servers tab is missing under Security > API in the Okta Admin Console, the Okta org does not have the API AM feature.

 

To verify the availability of Custom Authorization Servers and resolve the error, navigate to the API settings in the Okta Admin Console and update the application configuration.

  1. Navigate to Security > API in the Okta Admin Console.
  2. Verify that the Authorization Servers tab is present.
  3. Update the application configuration to use a Custom Authorization Server URL instead of the Org Authorization Server URL.

Related References

Recommended content

Still looking for help?
Loading
Okta Authorization Error Occurs Stating Custom Scopes Are Not Allowed For This Request