Hi Melissa, I understand the confusion and I'll try to make more clear. Clients scope is about managing protocol mappers and role mappings in a single place, where these scopes may be requested by clients when they are sending authorization requests to the server (using the scope parameter). One of the main differences between Client Scope vs Scope (in client details) is that Client Scope configuration is shared across multiple clients and it includes the configuration you usually do in the Scope tab for clients. In addition to that, Client Scope is more OAuth related given that you have more control over how the server should deal with the scopes requested by clients. For instance, show in consent page (if user consent is enabled to the client), etc. Authorization Scopes are related to fine-grained permissions, an extension to the standard OAuth implementation (there is a specific grant type[1] for this) that allows you to manage your protected resources and the scopes (e.g: actions you can perform, attributes, etc) associated with them where access to these resources/scopes is enforced based on policies. In this context, the authorization scopes are granted to clients based on the evaluation of these policies. These scopes are not granted by default (when clients request them) and are not granted based on user consent. I hope it helps. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... On Wed, Apr 10, 2019 at 8:04 AM Melissa Palmer <melissa.palmer(a)gmail.com&gt; wrote: