diff --git a/lemonauth/models.py b/lemonauth/models.py
index 1225811..2360431 100644
--- a/lemonauth/models.py
+++ b/lemonauth/models.py
@@ -3,13 +3,13 @@ from secrets import token_hex
 
 
 class IndieAuthCodeManager(models.Manager):
-    def create_from_dict(self, d):
+    def create_from_qdict(self, d):
         code = self.create(
             me=d['me'],
             client_id=d['client_id'],
             redirect_uri=d['redirect_uri'],
             response_type=d.get('response_type', 'id'),
-            scope=d.get('scope', ''),
+            scope=" ".join(d.getlist('scope')),
         )
         code.code = token_hex(32)
         return code
diff --git a/lemonauth/templates/lemonauth/indie.html b/lemonauth/templates/lemonauth/indie.html
index d6a769d..90d18af 100644
--- a/lemonauth/templates/lemonauth/indie.html
+++ b/lemonauth/templates/lemonauth/indie.html
@@ -22,6 +22,18 @@
 
 		<div class="card-body">
 			<p class="card-text">do you want to confirm your identity, <a class="code" href="{{ me }}">{{ me }}</a>, with this app?</p>
+			{% if params.response_type == 'code' %}
+			<p class="card-text">additionally, this app is requesting the following <i>scopes</i> - you can edit the scopes that will be granted to the app, if you wish</p>
+			<div class="custom-controls-stacked card-text">
+			{% for scope in scopes %}
+				<label class="custom-control custom-checkbox">
+					<input name="scope" type="checkbox" class="custom-control-input" checked value="{{ scope }}" />
+					<span class="custom-control-indicator"></span>
+					<span class="custom-control-description">{{ scope }}</span>
+				</label>
+			{% endfor %}
+			</div>
+			{% endif %}
 			<p class="card-text"><small>you will be redirected to <a class="code" href="{{ params.redirect_uri }}">{{ params.redirect_uri }}</a> after authorising this app</small></p>
 		</div>
 
diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py
index c76147d..30c26a3 100644
--- a/lemonauth/views/indie.py
+++ b/lemonauth/views/indie.py
@@ -62,6 +62,22 @@ class IndieView(TemplateView):
                 content_type='text/plain',
             )
 
+        type = params['response_type']
+        if type not in ('id', 'code'):
+            return HttpResponseBadRequest(
+                'unknown response_type: {0}'.format(type),
+                content_type='text/plain'
+            )
+
+        scopes = ()
+        if type == 'code':
+            if 'scope' not in params:
+                return HttpResponseBadRequest(
+                    'scopes required for code type',
+                    content_type='text/plain',
+                )
+            scopes = params['scope'].split(' ')
+
         client = mf2py.Parser(url=params['client_id'], html_parser='html5lib')
         rels = (client.to_dict()['rel-urls']
                 .get(params['redirect_uri'], {})
@@ -78,6 +94,7 @@ class IndieView(TemplateView):
             'me': me,
             'verified': verified,
             'params': params,
+            'scopes': scopes,
             'title': 'indieauth',
         }
 
@@ -112,10 +129,9 @@ class IndieView(TemplateView):
 @login_required
 @require_POST
 def approve(request):
-    post = request.POST.dict()
-    code = IndieAuthCode.objects.create_from_dict(post)
+    code = IndieAuthCode.objects.create_from_qdict(request.POST)
     code.save()
     params = {'code': code.code, 'me': code.me}
-    if 'state' in post:
-        params['state'] = post['state']
+    if 'state' in request.POST:
+        params['state'] = request.POST['state']
     return redirect(code.redirect_uri + '?' + urlencode(params))