I am also wondering this – the /tokeninfo endpoint from google is not really documented as far as I can tell, and when it is mentioned (like here) it’s called out that it should be used for development and debugging.
It almost seems like the only “sanctioned” way to test scopes for any third-party connection is to try hitting an API and checking for failure, which I’d prefer not to do (and is not always trivial).
Has anyone come up with a better solution for this?