Resource Server

It should validate the token
Local Validation: If you validate the token in the resource server then it will not acknowledge the token revocation
Remote validation: If you validate the token using /introspect endpoint hit from resource server then you will introduce latency in your request
There is no right answer how often you need local and remote validation, it is a balance of security vs latency
For high security use cases like health and banking, you should check authorization server more often.

API Gateway

Optional but recommended
It can add things like rate limiting, logging, and better management
If it is possible, the tokens can be verified in the gateway which can also reduce traffic subsequently

Most important but hardest to secure
Choose the right grant type
Use SSL/TLS
Validate your tokens
Secure your tokens
Any Client Side App: SPA or mobile or smart TV
- We can’t use Authorization Code flow or Client credential flow since they both require client secret
- Use Authorization Code with PKCE or Device grant flow
For Backend Applications, Authorization Code or client credentials is going to make the most sense
Authorization Code, Client Credentials and Authorization Code with PKCE is going to be the most common
Secure your tokens and do not show tokens to the end user, and also don’t put them into storage or logging