Upon further investigation, I have discovered that access tokens can be augmented (e.g. user email added) via rules and by supplying the api audience, a jwt access token is provided instead of an opaque token after authentication.
This is starting to make sense now. It was a valuable exercise, too, as I discovered that regardless of api/application scope configured in the dashboard, a client can still request any api scope. This is a bit confusing as I’m not sure what purpose there is to attributing scopes to “Machine to Machine Applications” under APIs. So far, I have found these settings to be of no real value and gives the impression that you are restricting requestable scopes, when it appears to do nothing. If any light an be shed on these settings, that would be helpful. In the meantime, I’ll use rules to modify the access token scope.
Thanks,
Craig