This article was originally published on Jo4 Blog . Our OAuth implementation worked perfectly. Every test passed. Users authorized apps, got tokens, refreshed them. Textbook OAuth 2.0. Then a Pipedream integration broke. The Problem A user reported that their Pipedream workflow couldn't access certain API endpoints. The token was valid, the scopes were granted — but the API returned 403 Forbidden. The error logs showed the token had zero scopes. That's impossible — we confirmed the user authorized read:urls write:urls during the consent flow. The Root Cause OAuth 2.0 (RFC 6749) defines scopes as space-delimited : scope = "read:urls write:urls" Enter fullscreen mode Exit fullscreen mode But some OAuth clients send them comma-delimited : scope = "read:urls,write:urls" Enter fullscreen mode Exit fullscreen mode Our scope parser split on spaces. Pipedream sent commas. The parser saw "read:urls,write:urls" as a single unknown scope, which mapped to zero valid scopes. One character. Comma vs space.…