At this moment we are trying Ory Hydra with our custom consent. I’ve created one client for our mobile backend with custom scopes.
Our problem is from the resource server (api): How a third party api can check if access_token received as bearer is valid and has the correct scope?. We must register the api as a client, and get an access token to call introspect endpoint? Or can we call introspect endpoint using basic authorization? Should we setup some kind of policy?
Thanks in advance!