Note: By default, OAuth integrations can only request basic scopes. See here for more information about requesting enterprise scopes.
On top of requesting the correct scope, the user and token must also have the required resources and permissions to perform the action.
Example 1: a personal access token with the scope data.records:read and a base added to it would be able to use the "Read records" endpoint on that base, but would not be allowed to use the "Write records" endpoint for that base. Similarly, it would not be able to use the "Read records" endpoint to access other bases that have not been added to the token.
Example 2: a personal access token with the scope schema.bases:read and multiple bases added to it would only be able to create fields in bases where the user has Creator permissions (required to customize fields).
For more information on how tokens work, refer to the Authentication reference.