carrvoSetting aside a definitive solution, can we think of what behaviours we would like introspection auth to have? Maybe 1) no pre-registration (no need for manual steps or information that cannot be obtained during the code flow) 2) RS should identify as itself (its URI)