There are some good points in your response @nicolas_sabena, I really appreciate it. You have the scenario down pat. What you’ve explained is exactly the problem we’re trying to solve here.
With that said, I’m a little fuzzy on this part:
The crux of the whole problem above is should that tenant access we’ve been talking about be on the token itself, i.e. should the APIs introspect an access token to verify that the user has access to make a request for that tenant (via the querystring, path, wherever it is) or should that be the responsibility of the API itself.
Your quote sounds a little like it’s beyond the scope of OAuth2 and maybe it should not be there, but I could be misunderstanding. Or maybe it is beyond the scope, but is acceptable.
Thanks again for the response