diff --git a/lib/oauth/authenticator.js b/lib/oauth/authenticator.js
index 5becd8f2..ee80979b 100644
--- a/lib/oauth/authenticator.js
+++ b/lib/oauth/authenticator.js
@@ -2,6 +2,7 @@
 
 var ApiAuthRequestError = require('../error/ApiAuthRequestError');
 var JwtAuthenticator = require('../jwt/jwt-authenticator');
+var ScopeFactoryAuthenticator = require('../oauth/scope-factory-authenticator');
 var OAuthPasswordGrantRequestAuthenticator = require('../oauth/password-grant').authenticator;
 var OAuthRefreshTokenGrantRequestAuthenticator = require('../oauth/refresh-grant').authenticator;
 var OAuthIdSiteTokenGrantAuthenticator = require('../oauth/id-site-grant').authenticator;
@@ -33,6 +34,52 @@ function OAuthAuthenticator(application) {
   this.application = application;
 }
 
+/**
+* @function
+*
+* @description
+*
+* Sets a scope factory to be used in the authentication flow, provided the grant
+* type supports scopes and scope factories. The scope factory is a
+* developer-provided function that allows you to add custom scope to the tokens
+* that Stormpath creates.
+*
+* @param {Function} scopeFactory
+* The scope factory to use when processing authentication results. When it is defined,
+* it will be invoked with the authentication result.  You should determine which scope
+* to grant, and provide it to the callback.
+*
+* The function must have the signature `(authenticationResult, requestedScope, callback)`.
+*
+* See
+* {@link ScopeFactoryAuthenticator#setScopeFactory ScopeFactoryAuthenticator.setScopeFactory}
+* for more details.
+*/
+OAuthAuthenticator.prototype.setScopeFactory = function setScopeFactory(scopeFactory) {
+  this.scopeFactory = scopeFactory;
+};
+
+/**
+* @function
+*
+* @description
+*
+* Sets the signing key used by the scope factory to sign new access tokens.
+* Only used in the scope factory flow. See
+* {@link ScopeFactoryAuthenticator#setScopeFactorySigningKey ScopeFactoryAuthenticator.setScopeFactorySigningKey}.
+*
+* @param {String} signingKey
+* Signing key used to pack and unpack JWTs. It is <b>required</b> if the scope
+* factory is set. If the factory is invoked without a signing key, an error will
+* be passed to the callback.
+*
+* This must be the same Tenant API Key Secret that you used to create the {@link Client}
+* that was used to initiate the authentication attempt.
+*/
+OAuthAuthenticator.prototype.setScopeFactorySigningKey = function setScopeFactorySigningKey(key) {
+  this.signingKey = key;
+};
+
 OAuthAuthenticator.prototype.localValidation = false;
 
 OAuthAuthenticator.prototype.withLocalValidation = function withLocalValidation() {
@@ -77,6 +124,11 @@ OAuthAuthenticator.prototype.authenticate = function authenticate(req, callback)
     }
   }
 
+  if (this.scopeFactory && (authenticator instanceof ScopeFactoryAuthenticator)) {
+    authenticator.setScopeFactory(this.scopeFactory);
+    authenticator.setScopeFactorySigningKey(this.signingKey);
+  }
+
   if (authenticator) {
     authenticator.authenticate(token, callback);
   } else {