How to validate a token when API server is outside of internal subnet?

Referring this this picture:
API server is required to validate access token by calling /introspect Admin API. Admin API should not be exposed to public. But my API server is on another external machine, run by 3rd party (in related to the user sign in server), and can only access public API of Hydra. What is the recommended way to validate access token by the API server?

Either you need to provide secure acces access to the admin API (there may be many ways to do it) or you need to proxy the traffic through something (Ambassador/Envoy or another API gateway) located in your Hydra network. Alternatively, if nothing like this works, you may consider JWT signed token strategy instead - it does not require access to the admin API, only to the public JWKS endpoint.

Thanks. I see.