Hi Auth0 Team,
I have a react app that makes remote api calls. all are running on my laptop. I have an set up and api on auth0 with multiple permissions. Let’s call them p1 and p2 for the sake of this discussion. When I want to invoke an endpoint on my backend that requires only p1, can I invoke getAccessTokenSilently with a scope of ‘p1’? In fact, I did so and the token still had both p1 and p2 in the scope. I was expecting it to have ‘p1’ only. since security is all about principle of least privilege. Am I missing something here? was I wrong to expect only P1 to show up in the token in the first place? BTW, I am not running into consent related issue here. something that was discussed in this thread.