ZegnatOne difference seems to be that it lets a client talk directly to the resource's Auth server (token endpoint?) and we specifically only wanted clients to talk to the user's endpoint. That way your trusted endpoint knows about all the tokens ans can revoke for rogue clients
