I am writing a test web site where users are expected to link their Alpaca account with my web site.
As part of the oAuth integration, I configure my website to request user access token with “data” scope only. However when the user is redirected to Alpaca and logged into Alpaca site, it showed the user following text:
Authorize My Test App
By allowing My Test App to access your Alpaca account, you are granting My Test App access to your account information and authorization to place transactions in your account at your direction.
Alpaca does not warrant or guarantee that My Test App will work as advertised or expected. Before authorizing, learn more about My Test App.
I was expecting to see the above text to include the scopes that were requested explicitly. But I did not find any such text.
Is this the intended behavior? If so, please change it so that user knows exactly what he/she is getting into by allowing this authorization to continue.