Continuing the discussion from Authorize endpoint not returning requested scopes:
My problem is that Auht0 could always return a token even user doesn’t have access to the requested scope. In this case, application could think current user has proper permission to call target API service, but it will get 401 because required scope missed in token.