gRegorYeah, I had a passing thought that the token response body could include a separate token, like "introspection_authentication", but the OAuth spec I read says that anything other than the expected keys in that JSON should be ignored by the client.
