I often talk about the tradeoffs between local and remote access token validation in my OAuth presentations. This blog post by my coworker is a nice demonstration of that in PHP! https://developer.okta.com/blog/2020/01/15/protecting-a-php-api-with-oauth