OAuth 2.0 tells you what somebody is allowed to do. OAuth 2.0 is used to grant ID Tokens should not be used to gain access to an API. Each token contains .