# Keycloak token scope we want token A to have scope like ```json { ..., "scope": "read:product profile buy:product email", "preferred_username": "userA" ..., } ``` but token B will be ```json { ..., "scope": "read:product profile buy:product scopeNameX email", "preferred_username": "userB" ..., } ``` `user B` has more scopes than `user A` To do so in Keycloak. 1. Client Scopes > create (click the button top right) 2. Add `Name` for instance `scopeNameX` click `save` 3. Client Scopes > scopeNameX > Mappers > click `Create` (top right) 4. Make sure you are in `Create Protocol Mapper` page. - Add Name **scopeNameX** - Mapper Type : **User Attribute** - User Attribute: **scopeNameX** - Token Claim Name: **scope** - Claim JSON Type: **String** - Click `Save` 5. Clients > click client id you wanted. 6. Click `Client Scopes` > Setup > Default Client Scopes > Available Client Scopes. Add `scopeNameX` to Default Client Scopes. 7. Client > click client id you watned > Role > click `Add Role` - Role Name: **scopeNameXRole** - click `Save` 8 Users > click user you wanted > Role Mapping > Client Rles > click dropdown to select client 8. Add `scopeNameXRole` to assigned Roles 9. Verify it works - Clients > your client id > Client Scopes > Evaluate - User > click dorpdown > Start typing user name > Click Evaluate > click Generated Access Token tab - verify if you can see `scopeNameX` in accessToken's scope 10. (Optional) To change `scopeNameX` in accessToken's scope go to 1. Client Scopes > Click `scopeNameX` or any scope you want. 2. in Setting tab, set new name then click `save`