Not quite actually. Here’s the whole flow to hopefully clarify things.
- I request just user:read:email, the user approves and I get token 1 (T1) and save it to my database.
- Later on I request just channel_feed_edit, the user approves and I get token 2 (T2).
- Then immediately after I receive T2, I grab T1 from my database, ask the API what scopes are approved on it, and combine them with what was just approved in T2, so then I request user:read:email and channel_feed_edit together and since force verify isn’t enabled and they have already approved both of those scopes in the past (even though they were in separate requests) the authorization happens automatically and I receive T3 which simply has the scopes from T1 and T2 combined. The user doesn’t notice this has happened as it’s just 2 extra redirects. Now I can forget T1 and T2 and just use T3 so I simply replace the database entry for T1 with T3.
Then if I need to add yet more scopes to my token I just start the process over, treating T3 as T1.