MorpheusAIs · nomadicrogue · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/src/main.py b/src/main.py
@@ -1106,7 +1106,7 @@ def custom_swagger_ui_html():
                 realm: 'oauth2',
                 appName: 'Morpheus API Gateway',
                 scopeSeparator: ' ',
-                scopes: 'openid email profile',
+                scopes: 'aws.cognito.signin.user.admin openid email profile',
                 usePkceWithAuthorizationCodeGrant: false,
                 useBasicAuthenticationWithAccessCodeGrant: false,
                 additionalQueryStringParams: {{
@@ -1517,6 +1517,7 @@ def custom_openapi():
                     "authorizationUrl": f"https://{settings.COGNITO_DOMAIN}/oauth2/authorize",
                     "tokenUrl": f"https://{settings.COGNITO_DOMAIN}/oauth2/token",
                     "scopes": {
+                        "aws.cognito.signin.user.admin": "Read own user attributes (GetUser)",
                         "openid": "OpenID Connect authentication",
                         "email": "Access to email address", 
                         "profile": "Access to profile information"
@@ -1562,7 +1563,7 @@ def custom_openapi():
                 # Auth and Automation endpoints: OAuth2/BearerAuth only (JWT tokens from Cognito)
                 elif path_key.startswith("/api/v1/auth/") or path_key.startswith("/api/v1/automation/") or path_key.startswith("/api/v1/billing/"):
                     operation["security"] = [
-                        {"OAuth2": ["openid", "email", "profile"]},
+                        {"OAuth2": ["aws.cognito.signin.user.admin", "openid", "email", "profile"]},
                         {"BearerAuth": []}
                     ]
                 # Default: All other endpoints use APIKeyAuth only