Strip personal information from accesstoken but make the information available via introspection or another secure coms channel?

I would like to use okta as authorization server for an API that I am developing.

The idea is that I use claims to contain application permissions. However I don’t want to ‘leak’ the permissions in the accesstoken nor in the id token.

How can I implement that the accesstoken hardly contains any information and that via introspection (or any other secure way) I can get the full users’ details?

How about the userinfo endpoint?

That could maybe work! Thanks for the suggestion!