gRegorIt hasn't been as hard as I thought once I wrapped my head around it. I add a client_id in the admin, it generates a client_secret, I set that secret in the media endpoint config, the media endpoint will use Basic Auth of its client_id + secret to authenticate the introspection request.
