We are seeing some issues with using standard API. When we use Scope (user/Appointment.read) as defined to get the token then it generates the token & it generates the db entry in the oauth3 table but since routes (/api/appointment, user/appointment.read) is in smaller letter, when we use the token the token to call the API it throws unauthorized access.
From what we can see scope and route should have similar Letter case.
We tested this with making route (/api/Appointment, user/Appointment.read) upper case then it worked.
Standard api uses the lowercase scope names. user/appointment.read is the scope you are wanting. The standard api predates the FHIR apis and we didn’t change their names due to legacy support. So the API is not broken, your just using the wrong scope.
Uppercase scopes are for the FHIR apis and are required to be that way to be interoperable with other FHIR systems.
Look in the MySQL table oauth2_clients and look at the scope field. If you didn’t register your oauth2 client with the user/appointment.read scope it will remove it from the access token if you request it. You can add the scope there in the table if you want to keep using the same client.
Debugging can be enabled in Admin → Config → Logging → System Error Logging Options.