How does token introspection handle symmetric keys?

[pq2]

In Section 3.3, as part of token introspection, the AS sends the key to which the token is bound to the requesting RS. The corresponding field is described as follows:

key (object/string): REQUIRED if the token is bound. The key bound to the access token, to allow
 the RS to validate the signature of the request from the client instance. If the access token is
 a bearer token, this MUST NOT be included.

Since we should not send symmetric keys (even more so in the context of token introspection, which may be performed by arbitrary RSs), I assume that if an access token is bound to a symmetric key, a key reference must always be sent here and never a key object. Am I correct in this assumption and if so, shouldn't this be explicitly stated in the Resource Server Connections document?

[jricher]

This is a good point -- this needs to be restricted, and the editors will add security considerations about how to use different kinds of keys at the RS without doing this.

[pq2]

I would also be interested in how token introspection might work when an access token is bound to a symmetric key generated by the AS, as mentioned in Section 12.19 of the main document.