Diff

--- a/mod_http_oauth2/README.md	Sun Jun 15 01:08:46 2025 +0700
+++ b/mod_http_oauth2/README.md	Fri Jul 18 20:45:38 2025 +0700
@@ -275,9 +275,9 @@
 
 OAuth supports "scopes" as a way to grant clients limited access.
 
-There are currently no standard scopes defined for XMPP. This is
-something that we intend to change, e.g. by definitions provided in a
-future XEP. This means that clients you authorize currently have to
+[XEP-0493: OAuth Client Login] describes using OAuth 2.0 / OpenID Connect with XMPP.
+This module does not yet support [the scopes defined](https://xmpp.org/extensions/xep-0493.html#oauth-scopes).
+This means that clients you authorize currently have to
 choose between unrestricted access to your account (including the
 ability to change your password and lock you out!) and zero access. So,
 for now, while using OAuth clients can prevent leaking your password to
@@ -292,7 +292,9 @@
 OpenID scopes such as `openid` and `profile` can be used for "Login
 with XMPP" without granting access to more than limited profile details.
 
+The `offline_access` scope must be requested to receive refresh tokens.
+
 ## Compatibility
 
-Requires Prosody trunk (April 2023), **not** compatible with Prosody 0.12 or
-earlier.
+Requires Prosody trunk (April 2023 or later) or Prosody 13.0,
+**not** compatible with Prosody 0.12 or earlier.