Does anyone of you have a best practice with protecting resources with Oauth2 on the gateway with OTK with a sandbox mode and a production mode. This is where the client application is allowed to use a sandbox url, but only after approvement allowed to use the production url (or with the same url, but different backend routing)?
We don't want to achieve this with scopes. The client side should not have to change anything. The approvement process result in registration something (client registration in OTK db?) which we could test on in the proxy. Is there any other means you might know of which is pretty standard for this?
It is a bit like this scenario: Sandbox Mode • Instagram Developer Documentation
(using OTK 3.1.2 at the moment)