When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token.
If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints.