diff --git a/src/controllers/well-known_controller.ts b/src/controllers/well-known_controller.ts
index bc346e4af..181ce6817 100644
--- a/src/controllers/well-known_controller.ts
+++ b/src/controllers/well-known_controller.ts
@@ -16,11 +16,12 @@ function build(): express.Router {
   controller.get('/oauth-authorization-server', (request, response) => {
     const origin = request.protocol + '://' + request.headers.host;
     response.json({
-      'issuer': origin,
-      'authorization_endpoint': origin + Constants.OAUTH_PATH + '/authorize',
-      'token_endpoint': origin + Constants.OAUTH_PATH + '/token',
-      'response_types_supported': ['code']
-      //TODO: Consider adding scopes_supported with a dynamically generated list
+      issuer: origin,
+      authorization_endpoint: origin + Constants.OAUTH_PATH + '/authorize',
+      token_endpoint: origin + Constants.OAUTH_PATH + '/token',
+      response_types_supported: ['code'],
+      // Only expose top-level scopes to unauthenticated clients
+      scopes_supported: [Constants.THINGS_PATH, Constants.THINGS_PATH + ':readwrite'],
     });
   });