I wrote a blog post about managing claims in tokens. An important thing to remember — the token's content is a contract, though its parties vary depending on the token type. You can read the full post here: https://curity.io/blog/managing-scopes-and-claims-in-oauth-tokens/