The incremental authz draft, hailing from the IETF OAUTH WG, is different from grant management but also similar in many respects. For security reasons, the former has some significantly distinct functionality based on whether the client can authenticate or not. William Denniss (the man with two first names) is a pretty smart dude so I trust there’s good reason for it. Meanwhile there’s no such distinction in grant management. I’ve admittedly not thought it all though but I suspect that grant management needs some more work in this respect. Like maybe different behavior or recommendations for public clients, of disallowing parts of it’s use by public clients. Or, if not, some security considerations/analysis saying why it’s okay.