allows oauth clients to issue scopes that only grant access to the issuing service e.g. access:service!service or access:servers!server especially useful with custom scopes