In my Auth0 use case I have users & projects (many-to-many relationship). The projects a user has access to are stored in app_metadata. On the API side I need one token (I suppose access_token type) for every project a user has access to, such that the project is in the scope of the token. It is a requirement to have one token per project because the backend cannot be fully trusted not to steal tokens which give access to other projects.
Are access_tokens the right tool for this authorization use case and if they are, is there a limit to the number of different scopes I can create for a given API? (so every time a new project is created I will create a new scope in the API for it).