Scopes reference

The complete catalog of identity claims you can request. Mark each as Required, Optional, or Skip on the developer dashboard — that's the manifest the consent screen renders.

Standard OIDC scopes

openid
Required on every request. Activates OIDC mode.
profile
Compatibility alias for wa:name.full + wa:photo. Use the explicit scopes instead — they give the user better control over what they share.
email
Not honored. Whisp3r Auth does not release the user's email address. Use email relay instead.

Whisp3r-specific scopes

All prefixed with wa:.

wa:photo

Profile photo. Available as picture in userinfo — a URL pointing at our avatar endpoint, which 302s to the user's current image (or to a deterministic generated avatar if none uploaded).

wa:name.first

Just the first name. Available as given_name.

wa:name.full

Full name — first, middle, last, suffix. Implies wa:name.first (redundant on the consent screen if both requested). Available as name, given_name, middle_name, family_name.

wa:username

The user's Whisp3r Auth username. Available as preferred_username. Same handle across every connected app — propagates on change.

wa:pronouns

The pronouns the user has chosen — e.g. she/her. Available as pronouns.

wa:age.tiers

Yes/no checks for whether the user is at least 13, 16, 18, or 21. The actual birthday never leaves Whisp3r Auth.

"age_gate": {
  "13": true,
  "16": true,
  "18": true,
  "21": false
}

wa:birthday

The exact birthday — month, day, year. Sensitive. The consent screen calls this out specifically. Only ask if your app genuinely needs it (insurance, regulated KYC); otherwise use wa:age.tiers. Implies wa:age.tiers.

Available as birthdate in ISO YYYY-MM-DD form.

wa:language

The user's preferred interface language as a BCP-47 tag — "en-US", "fr", "es-MX", etc. Available as locale. Falls back to null if the user hasn't set one.

wa:cookies

The user's analytics + marketing cookie opt-ins. Available as cookie_preferences:

"cookie_preferences": {
  "analytics": false,
  "marketing": true
}

Respect these. The user opted in once at Whisp3r Auth; if your app re-prompts them, you erode the trust this platform is selling.

Auto-granted scopes

Hidden from the consent screen. Granted to every authorized app.

wa:email.relay
Lets your app POST to /api/relay/email to send a user a message without learning their address.
wa:webhook
Lets your registered webhook URL receive signed events when a granted field changes. See Webhooks.

Scope dependency rules

Some scopes imply others. Requesting a "stronger" scope is treated as also requesting the weaker form:

wa:name.full →
wa:name.first
wa:birthday →
wa:age.tiers

The developer dashboard reflects this in the picker (toggling a parent required locks its implied child to required too). The consent screen hides the implied child from the user — they only see the parent decision.

Terms Privacy Policy Cookies Sitemap

Copyright © 2026 Whisp3r Auth. All rights reserved.

72 28 14 36 01

enen-GBesfrdept