I guess I was just doing it wrong after all. When calling /oauth/token I was including a scopes field in the request, but you can omit it in the request and it’ll just return whatever scopes are granted to the client in the JWT it returns. Much less fuss.
1 Like