User Answers

If you are generating access tokens, then you are probably on the server where the access tokens are stored in OAuth2.Server.AccessToken.  OAuth2.AccessToken is where the access tokens are stored on the client. 

Both of these tables must be accessed from the %SYS namespace and privileges to access CACHESYS database are required.

I thought about use of RFC 7523 a bit more and realized that in many situations it is appropriate to use the client credentials grant type from RFC6749 with the request authenticated using a JWT per RFC 7523.  This usage is supported in 2017.1 and will give you many of the security attributes of JWT grant type.

RFC 7523 specifies the use of a JWT both as an authentication mechanism for a client and as a grant type to obtain an access token.  Cache supports the use of a JWT for client authentication in 2017.1.  There are currently no plans to support the JWT grant type for obtaining an access token.  This is a reasonable enhancement request..  I suggest that you make the request through the WRC including more background on your intended use.  Then priority can be set.