A claim is statement that a particular entity has a particular property. In authentication, we usually think of claims as assertions about a user, as asserted by the Identity Provider. Claims are critical to reach the highest level in the API Security Maturity model. When designing a token-based architecture, it's important to understand how identity data is passed around. Claims provide a fundamental means for how to trust that the data is valid and true. A scope is a grouping of claims. In OAuth, a scope is defined as a string that may represent a resource the Client requests access to. The Scope is what gives access to APIs (with a valid token). But Scopes are also what gives access to claims.