This issue is to collect items for security considerations of what an access token can represent, which is also part of the token model discussed in #15:
Audience restriction (the RS knows that it's the target of a token)
Presenter key binding (vs. bearer tokens -- also covered in core)
Subject identification (the RS knows who authorized the token)
Issuer restriction (the RS knows who created the token, including signing a structure or providing introspection to prove this)
This issue is to collect items for security considerations of what an access token can represent, which is also part of the token model discussed in #15:
Almost all of these can refer to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt as an example of implementation.