Yes, you’re doing something wrong although the provided information is not sufficient to exactly pinpoint the issue. If the access token is only suitable for the
/userinfo endpoint then the client application should only perform a request to that endpoint when it requires to obtain user information, it should not be doing repeated requests just to ascertain the validity of the access token. In particular, when the client application received the authentication response containing the access token it should also have received a general indication of for how long the access token will remain valid through the
expires_in response parameter.
If you’re sending the access token from a client application to a resource server (API) and then it is the API that performs that call then the issue is that you need to obtain an access token suitable to your own API. At this time, if you configure an API in the APIs section of the dashboard and then request an access token for that API from a client application then the issued access token will be a JWT. In this case the resource server can validate the access token by itself simply by validating the signature of the access token and then ensuring that the access token claims are the ones it expects (issuer, audience, lifetime, etc).