invalid_scope Error (400) When Using Refresh Token

Hey everyone! We're running into an issue with refresh tokens in our Angular application and could use some help.

Problem:
When the automatic silent refresh is triggered, we're getting a 400 error with:
error: "invalid_scope"

Setup:
We're using the Angular OIDC client with automatic silent refresh:

typescriptthis.oauthService.setupAutomaticSilentRefresh();

typescriptthis.oauthService.setupAutomaticSilentRefresh();

typescriptthis.oauthService.setupAutomaticSilentRefresh();

typescriptthis.oauthService.setupAutomaticSilentRefresh();

Token Request Payload:

grant_type: refresh_token
scope: openid profile email picture offline_access urn:zitadel:iam:org:project urn:zitadel:iam:org:project urn:zitadel:iam:user:metadata urn:zitadel:iam:org:project:roles urn:zitadel:iam:user:resourceowner zitadel:aud urn:zitadel:iam:org:project🆔zitadel:aud 
refresh_token: RweRCsOFMsaucx7ILObPEyGRy62YSjSO1ZSrgeQGHWAtEDXK6nZiqtdjCvGE_jolbTtP0nnyBbhaE5MWt5_U4c7Rxitx3W6OxYX2qyDK
client_id: 324065386xxxx

grant_type: refresh_token
scope: openid profile email picture offline_access urn:zitadel:iam:org:project urn:zitadel:iam:org:project urn:zitadel:iam:user:metadata urn:zitadel:iam:org:project:roles urn:zitadel:iam:user:resourceowner zitadel:aud urn:zitadel:iam:org:project🆔zitadel:aud 
refresh_token: RweRCsOFMsaucx7ILObPEyGRy62YSjSO1ZSrgeQGHWAtEDXK6nZiqtdjCvGE_jolbTtP0nnyBbhaE5MWt5_U4c7Rxitx3W6OxYX2qyDK
client_id: 324065386xxxx

grant_type: refresh_token
scope: openid profile email picture offline_access urn:zitadel:iam:org:project urn:zitadel:iam:org:project urn:zitadel:iam:user:metadata urn:zitadel:iam:org:project:roles urn:zitadel:iam:user:resourceowner zitadel:aud urn:zitadel:iam:org:project🆔zitadel:aud 
refresh_token: RweRCsOFMsaucx7ILObPEyGRy62YSjSO1ZSrgeQGHWAtEDXK6nZiqtdjCvGE_jolbTtP0nnyBbhaE5MWt5_U4c7Rxitx3W6OxYX2qyDK
client_id: 324065386xxxx

grant_type: refresh_token
scope: openid profile email picture offline_access urn:zitadel:iam:org:project urn:zitadel:iam:org:project urn:zitadel:iam:user:metadata urn:zitadel:iam:org:project:roles urn:zitadel:iam:user:resourceowner zitadel:aud urn:zitadel:iam:org:project🆔zitadel:aud 
refresh_token: RweRCsOFMsaucx7ILObPEyGRy62YSjSO1ZSrgeQGHWAtEDXK6nZiqtdjCvGE_jolbTtP0nnyBbhaE5MWt5_U4c7Rxitx3W6OxYX2qyDK
client_id: 324065386xxxx

`

What We've Tried:

Enabled "Refresh Token" in the App settings

Followed the Zitadel Angular example setup
Questions:

Are there specific scopes that shouldn't be included in a refresh token request?
Do we need to configure the allowed scopes differently in the application settings?
Is there a mismatch between the initial auth scopes and refresh scopes?

Any guidance would be greatly appreciated!

Ask Inkeep•12/11/25, 12:28 PM

Hi @VilleFTW, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•12/11/25, 12:28 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

OpenID Connect Endpoints in ZITADEL (1) :

Documents that when using the refresh token grant, the scope parameter must be a subset of the scope originally requested by the corresponding auth request—if scopes exceed the original, it can result in an invalid_scopeinvalid_scope error.

ZITADEL with Angular (2) :

Shows the recommended Angular setup using scope: 'openid profile email offline_access'scope: 'openid profile email offline_access' in the AuthConfig—your scope list appears to include several additional ZITADEL-specific scopes that may not have been in your original authorization request.

The invalid_scopeinvalid_scope error typically occurs when the scopes requested during refresh exceed what was originally authorized. (1) Your payload shows duplicate scopes (urn:zitadel:iam:org:projecturn:zitadel:iam:org:project appears twice) and picturepicture which isn't in the standard example. (2)

I'd suggest verifying that your refresh request scopes match exactly what was requested during initial authorization, or omit the scope parameter entirely during refresh (ZITADEL will reuse the original scopes) . (1)

Would you like a general answer based on my knowledge, or would you prefer to click "Ask for help" to have a team member review this?

Ask Inkeep•12/11/25, 12:28 PM

To learn more, see the sources I considered:

[1] OpenID Connect Endpoints in ZITADEL
[2] ZITADEL with Angular

Ask Inkeep•12/11/25, 12:28 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] OpenID Connect Endpoints in...

Ask InkeepAPP•12/11/25, 12:40 PM

Got it. Tagging @Rajat for additional help.

VilleFTWOP•12/15/25, 2:31 PM

We're still having issues with this one @Rajat . Even reduced the amount of scopes to include only the important ones, namely scope: 'openid profile email offline_access'. This works, however, because we don't have access to the rest " urn zitadel

iam:org:project urn zitadel

iam:user:metadata urn zitadel

iam:org:project:roles urn zitadel

iam:user:resourceowner zitadel:aud urn zitadel

iam:org:project

zitadel:aud ". What can we do about this one?

Rajat•12/15/25, 4:00 PM

hey @VilleFTW raising this internally

Rajat•12/15/25, 4:18 PM

hey @VilleFTW I just saw you passed a scopes which don't exist , here you can read scopes in zitadel
urn:zitadel:iam:org:projecturn:zitadel:iam:org:project (not a scope in zitadel)
urn:zitadel:iam:org:project:rolesurn:zitadel:iam:org:project:roles (not a scope)

zitadel:audzitadel:aud (not a scope). I think it should be urn:zitadel:iam:org:project🆔zitadel:audurn:zitadel:iam:org:project🆔zitadel:aud

I think invalid_scopeinvalid_scope here is happening because your refresh call is sending scopes that zitadel doesn’t recognize as valid scopes
what happens if you just pass openid profile email offline_access urn:zitadel:iam:org:project🆔zitadel:audopenid profile email offline_access urn:zitadel:iam:org:project🆔zitadel:aud??.
I would also like to know what version are you and how are you hosted?. Thank You

VilleFTWOP•12/15/25, 4:52 PM

Hey @Rajat , thanks for the reply first and foremost!

I am in the process of modifying it and testing it and seeing what other parts of our systems are affected. I will let you know if this is the right solution!

Rajat•12/15/25, 5:00 PM

sure no problem, I am also trying to make an educated guess

I cross checked the scopes from your question only to realise that they dont exist