A oauth2.0 plugin question

When authenticating token, is one token corresponding to one API? if that’s true, then the client needs to determine token based on a different API?

An Oauth “token” is arbitrary and simply represents a kong consumer. What controls what api’s that token has access is under scope of the ACL plugin and whitelist/blacklist groups.

For example if you create a Proxy and assign the oauth2 plugin to it, then that means all users that can generate oauth2 tokens have access. As soon as you add an ACL plugin to the proxy and give it a whitelist element like “MyAPIGroup”, then only consumers who have the ACL group “MyAPIGroup” can access your proxy with the oauth2 plugin already enabled on it.