# `AttestoPhoenix.Plug.RequireScopes`
[🔗](https://github.com/XukuLLC/attesto_phoenix/blob/v0.19.0/lib/attesto_phoenix/plug/require_scopes.ex#L1)

Phoenix alias for `Attesto.Plug.RequireScopes`.

Scope authorization is protocol logic, so the implementation remains in the
core `attesto` package and uses `Attesto.Scope` grant-form algebra. This
module exists to give Phoenix routers a stable `AttestoPhoenix.Plug.*` surface
alongside `AttestoPhoenix.Plug.Authenticate`.

## RFC 9728 `resource_metadata` on the 403

Unlike `AttestoPhoenix.Plug.Authenticate` (which sources the
`resource_metadata` pointer from `AttestoPhoenix.Config`), this plug is a thin,
config-independent protocol alias so it stays usable in a resource-server-only
deployment with no host config. Its `insufficient_scope` (403) challenge
therefore omits the pointer unless one is passed explicitly:

    plug AttestoPhoenix.Plug.RequireScopes,
      scopes: ["read:reports"],
      resource_metadata: "https://api.example/.well-known/oauth-protected-resource"

This is intentional, not a discovery gap: a 403 is only reached *after* the
request authenticated, so the client already received the pointer on the
initial unauthenticated 401 from `Authenticate`, and RFC 9728 §5.1 makes the
`resource_metadata` auth-param OPTIONAL on a challenge.

---

*Consult [api-reference.md](api-reference.md) for complete listing*