From e0174233b859ae3ae28ce1c9ecf8c94dd4e65656 Mon Sep 17 00:00:00 2001
From: Steve Hall <sh41@users.noreply.github.com>
Date: Sun, 13 Jul 2025 01:27:24 +0100
Subject: [PATCH] Clarify documentation for impersonated token generation with
 service account credentials.

---
 lib/goth/token.ex | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/goth/token.ex b/lib/goth/token.ex
index 5356ee5..c26eecd 100644
--- a/lib/goth/token.ex
+++ b/lib/goth/token.ex
@@ -201,10 +201,11 @@ defmodule Goth.Token do
       ...> Goth.Token.fetch(source: {:service_account, credentials, [claims: claims]})
       {:ok, %Goth.Token{...}}
 
-  #### Generate an impersonated token using a service account credentials file:
+  #### Generate an impersonated token using a service account credentials file.
+  #### Note that any top level `scopes` option will be ignored, you must specify your required `scope`, singular, not plural, as part of the claim and it must be a space separated string:
 
       iex> credentials = "credentials.json" |> File.read!() |> Jason.decode!()
-      ...> claims = %{"sub" => "<IMPERSONATED_ACCOUNT_EMAIL>"}
+      ...> claims = %{"sub" => "<IMPERSONATED_ACCOUNT_EMAIL>", "scope" => "https://scope1 https://scope2"}
       ...> Goth.Token.fetch(source: {:service_account, credentials, [claims: claims]})
       {:ok, %Goth.Token{...}}