This is a scanner, not a login screen. consentcheck never contacts an OAuth provider, never asks you to sign in, and never sees a token or authorization code — it only parses the scope names you paste and grades them against public provider documentation.

Should this app really be asking for that?

Paste the scope list a third-party OAuth app is requesting — or the full authorize URL — and pick the provider. consentcheck statically flags admin-tier / directory-wide grants, broad data access, offline (refresh-token) access, wildcard scopes, and write-where-read-would-do requests, each with a plain-English explanation and a citation. Curated catalogs for Google, Microsoft Graph, GitHub, and Slack; any other provider falls back to a labeled heuristic. No network calls; nothing is persisted unless you save a report.

Load example:

Space- or comma-delimited scopes, or a full authorize URL — its scope parameter is extracted; nothing else in the URL (client id, redirect URI, state, code) is read or stored.