I found the scope (a list of URI allowed to access) can be specified in connect api's JWT payload, and then tried to do the same thing with app store api which is not working.
I know the document doesn't mention it. But when there are endpoints used to arbitrarily extend user subscriptions and search others' history, it should be important to restrict what the client can do, which might be sensitive.
Since the team I'm on is evaluating this, kindly correct me and provide your consideration.