What's Changed
- OAuth browser and device flows now request Zitadel's role-specific scopes, keeping issued tokens limited to the OpenSea permissions the client requested.
- Explicit empty scope lists are rejected locally instead of being sent to the authorization server, where they could expand to every role on the account.
Full Changelog: ProjectOpenSea/opensea-devtools@sdk-v11.4.5...sdk-v11.4.7