diff --git a/docs/api.md b/docs/api.md
index 652405e2e..3e62c6a77 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -178,7 +178,7 @@ By default, all authenticated users have full read and write access to the serve
 
 ### Filtering results by authority (multitenancy)
 
-In Ralph, all incoming statements are assigned an `authority` (or ownership) derived from the user that makes the call. You may restrict read access to users "own" statements (thus enabling multitenancy) by setting the following environment variable: 
+In Ralph LRS, all incoming statements are assigned an `authority` (or ownership) derived from the user that makes the call. You may restrict read access to users "own" statements (thus enabling multitenancy) by setting the following environment variable: 
 
 ```
 RALPH_LRS_RESTRICT_BY_AUTHORITY = True # Default: False
@@ -190,7 +190,27 @@ NB: If not using "scopes", or for users with limited "scopes", using this option
 
 #### Scopes
 
-(Work In Progress)
+In Ralph, users are assigned scopes which may be used to restrict endpoint access or 
+functionalities. You may enable this option by setting the following environment variable:
+
+```
+RALPH_LRS_RESTRICT_BY_SCOPES = True # Default: False
+```
+
+Valid scopes are a slight variation on those proposed by the
+[xAPI specification](https://github.com/adlnet/xAPI-Spec/blob/master/xAPI-Communication.md#details-15):
+
+
+- statements/write
+- statements/read/mine
+- statements/read
+- state/write
+- state/read
+- define
+- profile/write
+- profile/read
+- all/read
+- all
 
 ## Forwarding statements
 
diff --git a/src/ralph/api/auth/basic.py b/src/ralph/api/auth/basic.py
index d2c329f12..04dfcce59 100644
--- a/src/ralph/api/auth/basic.py
+++ b/src/ralph/api/auth/basic.py
@@ -155,7 +155,7 @@ def get_basic_auth_user(
             status_code=status.HTTP_403_FORBIDDEN, detail=str(exc)
         ) from exc
 
-    # Check that password was passed
+    # Check that a password was passed
     if not hashed_password:
         # We're doing a bogus password check anyway to avoid timing attacks on
         # usernames
diff --git a/tests/api/test_statements_get.py b/tests/api/test_statements_get.py
index a56323c56..ec8a24085 100644
--- a/tests/api/test_statements_get.py
+++ b/tests/api/test_statements_get.py
@@ -757,7 +757,7 @@ def test_api_statements_get_invalid_query_parameters(basic_auth_credentials, id_
         (["all/read"], True),
         (["statements/read/mine"], True),
         (["statements/read"], True),
-        (["profile/write", "all/write", "statements/read"], True),
+        (["profile/write", "statements/read", "all/write"], True),
         (["statements/write"], False),
         (["profile/read"], False),
         (["all/write"], False),