As discussed on the call, I have updated the OAuth spec to capture the guidance for protecting higher value resources with unique scopes, and how to leverage refresh_tokens for continued access to lower level resources after the initial access_token expires. MV