Did you instead mean to ask how the APIs would know if the client presenting the access token is in fact the client to whom the access token was actually issued to?