diff --git a/lib/auth.ts b/lib/auth.ts
index 501829e..676871d 100644
--- a/lib/auth.ts
+++ b/lib/auth.ts
@@ -19,6 +19,7 @@ export const auth = betterAuth({
     organization(),
     jwt(),
     oauthProvider({
+      scopes: ["openid", "profile", "email", "offline_access", "mcp"],
       validAudiences: [MCP_RESOURCE],
       // TODO: rate-limit /api/auth/oauth2/register per IP before relying on this in untrusted environments.
       allowDynamicClientRegistration: true,
diff --git a/tests/mcp-oauth.test.ts b/tests/mcp-oauth.test.ts
index dd8bd4d..62755f0 100644
--- a/tests/mcp-oauth.test.ts
+++ b/tests/mcp-oauth.test.ts
@@ -194,6 +194,9 @@ describe("MCP discovery", () => {
       `${APP_URL}/api/auth/oauth2/authorize`,
     );
     expect(body.token_endpoint).toBe(`${APP_URL}/api/auth/oauth2/token`);
+    expect(body.scopes_supported).toEqual(
+      expect.arrayContaining(["openid", "profile", "email", "offline_access", "mcp"]),
+    );
   });
 });
 describe("MCP route methods", () => {