You can create the resource servers and scopes before or after you create the APIs in the Publisher. At some point in the process, you must associate the scopes in Access Manager with the APIs or specific API endpoints defined in the Publisher to control access to the APIs or the specific API endpoints.
You can associate a single scope with one or more APIs, all of the endpoints in an API, or with a specific API endpoint. To limit access to an API, you must assign the scope to the API and assign the scope to the single API endpoint in the API. You can assign the same scope to multiple endpoints in an API or you can assign different scopes to the different endpoints in the API if you want different users accessing the different endpoints. You select the scope when you create an API group.
If you want to limit API access by roles, you must include the scope name in authorization code grant from the client that calls the APIs. For example, if you are using the default scope, the OAuth client must use APIManageScope as the authorization code grant for any OAuth client that consumes the API.