I wrote a blog post about the difference between Phantom and Split Token approaches. If you deal with access tokens in APIs, especially JWTs then it should be of interest to you: https://curity.io/blog/how-should-you-serve-your-access-tokens-jwts-phantom-or-split/