My question is about how that permission is expressed. The technical details of how an APP proves itself worthy. Yes, the APP has to present my ID, but it also needs to prove it has the rights to use that ID and I think that means what we have here is a certificate signed by the ID.
Or am wrong and APPs connect through a separate client? I thought Safe moved away from the separate login process model because that’s not universally doable (iOS, for example, doesn’t allow background processes unless you’re some sort of deity).
EDIT: Talking about bearer credentials reminded me about something I saw recently. I started a separate thread for that: Bearer credentials with caveats for distributed authorization