Resource ServerClientClientResource ServerAMAuthorization ServerAMAuthorization ServerObtain Access Token1Request access token over mTLS2Embed client certificate hashinto access token3Return access token as JWT (client-based)or access token ID (CTS-based)Access a Resource4Present JWT / access token ID withembedded certificate hash over TLSResource ServerIf CTS-based...5Introspect accesstoken ID to validatex5t#S256hashagainst client's TLS certificateIf Client-based...6Readx5t#S256hash from the access tokento validate it against client's TLS certificate7Allow access to protected resource