The permissions come from RBAC indeed.
With my SPA app, I read the id_token to get the permissions (am I doing that right?).
With the M2M, you’re saying I can rely on the access_token to get the permissions? I can see indeed a claim “permissions” in it but it is missing my namespace. If I understang correctly the post you’ve quoted I should be able to enrich the access_token on my M2M app with a hook.
access_token['https://namespace/permissions'] = scope;
Ok, I’ve tried adding the following hook, and it does what I need. Thank you for your quick and efficient response!