I’d argue no, clients should treat them as opaque, and only the resource server and authorization server worry about their contents. See #22 for context.
