I see. Looking at this from another angle, if a M2M App is authorized to access a specific API (http://myapi/v1), with a certain list of Permissions (e.g. read:contacts, write:calendar), would it be possible to request an access token that only grants a subset of the Permissions? In other words, request a token (https://me.auth0.com/oauth/token) using a client ID and client secret, but only for read:contacts?