Had a JWT, and noticed functionality to invite a user to a group and then change their privileges, these privileges were reflected in the JWT scopes. Though modification of this edit user request additional scopes that were not displayed could be added, such as the company:operations and company:support scopes. Which then generated a JWT able to access an internal employee only API. The same vulnerability also existed in assigning scopes to your own API keys.