FHm is it not
urn:ietf:params:oauth:client-assertion-type:jwt-bearer in this case?FHm gime a sec 
FAh now i see it. "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" is used to authenticate a client/app directly against the /introspect
Fno need to pass along the /token
FIf you want to get a token to send to an API you need to use a service user instead
FYes
FThe client/app credentials are not intended to get tokens.
We use service accounts for this, because they can receive access rights and generally are manageable like a user.
We use service accounts for this, because they can receive access rights and generally are manageable like a user.