diff --git a/config.go b/config.go
index 6c09575..93d79c7 100644
--- a/config.go
+++ b/config.go
@@ -119,7 +119,7 @@ func registerFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().
 		IntVar(&flagCallbackPort, "port", 0, "Local callback port for browser flow (default: 8888 or CALLBACK_PORT env)")
 	cmd.PersistentFlags().
-		StringVar(&flagScope, "scope", "", "Space-separated OAuth scopes (default: \"read write\")")
+		StringVar(&flagScope, "scope", "", "Space-separated OAuth scopes (default: \"email profile\")")
 	cmd.PersistentFlags().
 		StringVar(&flagTokenFile, "token-file", "", "Token storage file (default: .authgate-tokens.json or TOKEN_FILE env)")
 	cmd.PersistentFlags().
@@ -182,7 +182,7 @@ func loadConfig() *AppConfig {
 	cfg.ForceDevice = flagDevice
 	cfg.ServerURL = getConfig(flagServerURL, "SERVER_URL", "http://localhost:8080")
 	cfg.ClientSecret = getConfig(flagClientSecret, "CLIENT_SECRET", "")
-	cfg.Scope = getConfig(flagScope, "SCOPE", "read write")
+	cfg.Scope = getConfig(flagScope, "SCOPE", "email profile")
 
 	// Resolve callback port (int flag needs special handling).
 	portStr := ""
diff --git a/main_test.go b/main_test.go
index eb7c3d4..752fc8c 100644
--- a/main_test.go
+++ b/main_test.go
@@ -28,7 +28,7 @@ func testConfig(t *testing.T) *AppConfig {
 	return &AppConfig{
 		ServerURL:   serverURL,
 		ClientID:    "test-client",
-		Scope:       "read write",
+		Scope:       "email profile",
 		RetryClient: rc,
 		Store: credstore.NewTokenFileStore(
 			filepath.Join(t.TempDir(), "tokens.json"),
@@ -235,7 +235,7 @@ func TestBuildAuthURL_ContainsRequiredParams(t *testing.T) {
 		ServerURL:   "http://localhost:8080",
 		ClientID:    "my-client-id",
 		RedirectURI: "http://localhost:8888/callback",
-		Scope:       "read write",
+		Scope:       "email profile",
 		Endpoints:   defaultEndpoints("http://localhost:8080"),
 	}