The client has to include the access token when invoking any OAuth protected API service. The API server will validate this access token and authorize the incoming API requests based on the scopes embedded in the access token. For information about validating the tokens, see Section 2.5.4, Validating a JWT Token.
curl -X POST -H "Authorization: Bearer eyJhbGciOiJSU0ExXzU.....""https://api.oauth.apiserver.com/v1/resource"