Hydra "The requested scope is invalid, unknown, or malformed"

I’m trying to set up an OAuth2+OIDC implicit flow with PKCE. I set up my OAuth2/OIDC client using this command:

docker-compose exec hydra hydra clients create \
--endpoint http://localhost:4445 \
--id test-client \
--secret test-secret \
--response-types code,id_token \
--grant-types refresh_token,authorization_code \
--scope openid,offline \
--callbacks localhost:7999/oauth2/callback --token-endpoint-auth-method none

and I used this URL to manually trigger a login attempt: http://localhost:4444/oauth2/auth?client_id=test-client&scope=offline,openid&response_type=code,id_token,token

I’m however getting this error: level=error msg=“An error occurred” description=“The requested scope is invalid, unknown, or malformed” error=invalid_scope hint=“The OAuth 2.0 Client is not allowed to request scope “offline,openid”.”

How do I fix this? Also, there seems to be no documentation on the CLI anywhere except with the executable itself, which isn’t very accessible.

What are you getting if you run the following command

curl http://localhost:4445/clients
    "client_id": "test-client",
    "client_name": "",
    "redirect_uris": [
    "grant_types": [
    "response_types": [
    "scope": "openid,offline",
    "audience": [],
    "owner": "",
    "policy_uri": "",
    "allowed_cors_origins": [],
    "tos_uri": "",
    "client_uri": "",
    "logo_uri": "",
    "contacts": [],
    "client_secret_expires_at": 0,
    "subject_type": "public",
    "jwks": {
        "keys": []
    "token_endpoint_auth_method": "none",
    "request_object_signing_alg": "RS256",
    "userinfo_signed_response_alg": "none",
    "created_at": "2019-09-10T05:33:18Z",
    "updated_at": "2019-09-10T05:33:18Z"


Your scope should be “openid offline” and not “openid,offline”