I’m currently looking into Non-Interactive Clients to create a client for each vendor that uses our service and then setting appropriate scopes for each-- my other alternative is creating a user and leveraging
app_metadata to set their scopes. I also created a simple Rule to ensure these users can’t log into any other client, strictly the API-specific Client.
There are obvious differences between the two, I’m just unsure which falls under a best practice. Also, we don’t anticipate these vendors accessing anything user-specific for now.