Scopes enable fine-grained access control to API resources based on user roles. You define scopes to an API's resources. When a user invokes the API, his/her OAuth2 bearer token can not grant access to any API resource beyond its associated scopes.
If you generate a new access token after either modifying or deleting a scope of an API resource that you had previously invoked, you will not be able to access that particular resource of the API for a period of 15 minutes, which is the default Gateway cache period, because the WSO2 API Manager Gateway is designed to cache the details of the resource on its side. However, you will be able to immediately invoke other resources that correspond to that particular API. For a detailed description and a sample real-world scenario on scope management with OAuth scopes, see An Overview of Scope Management with WSO2 API Manager, which is a WSO2 library article.