diff --git a/Makefile b/Makefile
index fa66201e5e1..795bde20538 100644
--- a/Makefile
+++ b/Makefile
@@ -155,6 +155,9 @@ kill-graphql:
 redis-cli:
 	docker-compose exec redis redis-cli
 
+redis-flush:
+	docker-compose exec redis redis-cli FLUSHDB
+
 codegen:
 	yarn write-sdl
 
diff --git a/dev/ory/oathkeeper_rules.yaml b/dev/ory/oathkeeper_rules.yaml
index 834683d5332..8519e3c6756 100644
--- a/dev/ory/oathkeeper_rules.yaml
+++ b/dev/ory/oathkeeper_rules.yaml
@@ -61,6 +61,7 @@
         preserve_path: true
         preserve_query: true
         subject_from: identity.id
+        extra_from: "@this"
     - handler: oauth2_introspection
       config:
         introspection_url: http://hydra:4445/admin/oauth2/introspect
@@ -80,7 +81,7 @@
   mutators:
     - handler: id_token
       config:
-        claims: '{"sub": "{{ print .Subject }}", "session_id": "{{ print .Extra.id }}", "expires_at": "{{ print .Extra.expires_at }}" }'
+        claims: '{"sub": "{{ print .Subject }}", "session_id": "{{ print .Extra.id }}", "expires_at": "{{ print .Extra.expires_at }}", "scope": "{{ print .Extra.scope }}" }'
 
 - id: admin-backend
   upstream:
diff --git a/docker-compose.yml b/docker-compose.yml
index f16c5008381..78502ecf650 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,6 +21,7 @@ services:
       - svix
       - lnd-outside-2
       - hydra
+      - mailslurper
     restart: on-failure:10
   integration-deps:
     image: busybox
diff --git a/docs/hydra.md b/docs/hydra.md
index 2e9b32e73e1..34d0e584c44 100644
--- a/docs/hydra.md
+++ b/docs/hydra.md
@@ -46,8 +46,8 @@ code_client=$(hydra create client \
     --grant-type authorization_code,refresh_token \
     --response-type code,id_token \
     --format json \
-    --scope openid --scope offline --scope read \
-    --redirect-uri http://127.0.0.1:5555/callback
+    --scope offline --scope transactions:read --scope payments:send \
+    --redirect-uri http://127.0.0.1:5555/callback \
 )
 
 code_client_id=$(echo $code_client | jq -r '.client_id')
@@ -67,7 +67,7 @@ hydra perform authorization-code \
     --client-secret $code_client_secret \
     --endpoint http://127.0.0.1:4444/ \
     --port 5555 \
-    --scope openid --scope offline
+    --scope offline --scope transactions:read --scope payments:send
 ```
 
 do the login and consent
@@ -81,9 +81,13 @@ you are now connect as the user when you add the Header `Oauth2-Token: {token}`.
 hydra introspect token \
   --format json-pretty \
   --endpoint http://127.0.0.1:4445/ \
-  TOKEN
+  $ory_at_TOKEN
 # OR
-curl -X POST http://localhost:4445/admin/oauth2/introspect -d token=ory_at_TOKEN
+curl -X POST http://localhost:4445/admin/oauth2/introspect -d token=$ory_at_TOKEN
 
-curl -I -X POST http://localhost:4456/decisions/graphql -H 'Authorization: Bearer ory_at_TOKEN'
+curl -I -X POST http://localhost:4456/decisions/graphql -H "Oauth2-Token: $ory_at_TOKEN"
 
+curl --location 'http://localhost:4002/graphql' \
+--header 'Content-Type: application/json' \
+--header "Oauth2-Token: $ory_at_TOKEN" \
+--data '{"query":"query me {\n    me {\n        id\n        defaultAccount {\n            id\n        }\n    }\n}","variables":{}}'
\ No newline at end of file
diff --git a/src/servers/index.files.d.ts b/src/servers/index.files.d.ts
index b1539809299..25d43969709 100644
--- a/src/servers/index.files.d.ts
+++ b/src/servers/index.files.d.ts
@@ -12,6 +12,7 @@ type GraphQLPublicContext = {
   user: User | undefined
   domainAccount: Account | undefined
   ip: IpAddress | undefined
+  scope: string | undefined // TODO: enum
 }
 
 type GraphQLPublicContextAuth = Omit<GraphQLPublicContext, "user" | "domainAccount"> & {
diff --git a/src/servers/middlewares/session.ts b/src/servers/middlewares/session.ts
index 84a4bc16a5d..31ee0d76fed 100644
--- a/src/servers/middlewares/session.ts
+++ b/src/servers/middlewares/session.ts
@@ -32,19 +32,22 @@ export const sessionPublicContext = ({
 
   const sessionId = tokenPayload?.session_id
   const expiresAt = tokenPayload?.expires_at
+  const scope = tokenPayload?.scope
+  const sub = tokenPayload?.sub
 
   return addAttributesToCurrentSpanAndPropagate(
     {
-      "token.sub": tokenPayload?.sub,
+      "token.sub": sub,
       "token.iss": tokenPayload?.iss,
       "token.session_id": sessionId,
       "token.expires_at": expiresAt,
+      "token.scope": scope,
       [SemanticAttributes.HTTP_CLIENT_IP]: ip,
     },
     async () => {
       // note: value should match (ie: "anon") if not an accountId
       // settings from dev/ory/oathkeeper.yml/authenticator/anonymous/config/subjet
-      const maybeUserId = checkedToUserId(tokenPayload?.sub ?? "")
+      const maybeUserId = checkedToUserId(sub ?? "")
 
       if (!(maybeUserId instanceof ValidationError)) {
         const userId = maybeUserId
@@ -95,6 +98,7 @@ export const sessionPublicContext = ({
         loaders,
         user,
         domainAccount,
+        scope,
         ip,
       }
     },