feat: adding scope-based authorization

CHANGELOG.md

@@ -1,5 +1,43 @@
 # Changelog
 
+# v0.3.0 (Upcoming)
+Published on: TBD
+
+## 🚨 **BREAKING CHANGES**
+
+### OAuth2 Scope-Based Authentication
+* **BREAKING:** JWT tokens now REQUIRE OAuth2 scopes for API access
+* **BREAKING:** Tokens without valid `scope` claim will be rejected (401 Unauthorized)
+* **BREAKING:** Legacy attribute-based access control replaced with OAuth2 scopes
+
+#### New Standard OAuth2 Scopes:
+- `llama:inference` - Access to inference APIs (`/v1/inference/*`, OpenAI compatibility)
+- `llama:models:read` - Read access to models (`GET /v1/models/*`)
+- `llama:models:write` - Write access to models (`POST/PUT/DELETE /v1/models/*`)
+- `llama:agents:read` - Read access to agents (`GET /v1/agents/*`)
+- `llama:agents:write` - Write access to agents (`POST/PUT/DELETE /v1/agents/*`)
+- `llama:tools` - Access to tool runtime (`/v1/tools/*`)
+- `llama:vector_dbs:read` - Read access to vector databases
+- `llama:vector_dbs:write` - Write access to vector databases
+- `llama:safety` - Access to safety shields (`/v1/safety/*`)
+- `llama:eval` - Access to evaluation APIs (`/v1/eval/*`, `/v1/benchmarks/*`)
+- `llama:admin` - Full administrative access to all APIs
+
+#### Migration Required:
+1. **Update OAuth2 Provider:** Configure your OAuth2/OIDC provider to include Llama Stack scopes in JWT tokens
+2. **Update Client Applications:** Request appropriate scopes when obtaining tokens
+3. **Test Token Format:** Ensure JWT tokens include `"scope": "llama:inference llama:models:read"` claim
+
+#### Security Benefits:
+- **Principle of Least Privilege:** Granular access control per API
+- **Deny by Default:** No access without explicit scope grants
+- **OAuth2.0 Compliance:** Follows industry standard specifications
+- **Enhanced Audit Trail:** Clear permission tracking
+
+See [OAuth2 Scope Migration Guide](docs/source/concepts/oauth2_scopes.md) for detailed migration instructions.
+
+---
+
 # v0.2.12
 Published on: 2025-06-20T22:52:12Z