Server 2 server cid validation

When using Client Credentials Flow, after I get the access token.
What is the best practice to continue from this point

If I understand correctly, I should validate the token signature and extract the “cid” from the token.
I can use the “cid” to check if the APP really exist by calling https:///api/v1/apps/ \

What should be the next step ?
Should I keep the permission of this app cid on my env ? This means I need to track all apps cid
or I can add permission data to the service app on Okta ?