A computer system comprising a resource server running on the computer system. The resource server receives a client request from a client in which the client request includes an access token. The resource server sends an introspection request to an introspection gateway, wherein the introspection request is for introspection of the access token based on the client request, and wherein the introspection gateway uses a third-party authorization server from a plurality of third-party authorization servers to handle the introspection request. The resource server receives a response from the introspection gateway, wherein the response identifies a set of scopes for the access token. The resource server determines whether the access token has sufficient scope from a resource server response. The client is granted access to the resource server in response to the access token having the sufficient scope.