Can't verify OAuth token
Based on https://docs.joinmastodon.org/client/token/ and https://docs-develop.pleroma.social/backend/API/pleroma_api/, I am trying to get an access token to a Pleroma instance. I've tried two Pleroma instances and it didn't work, it did work on a Mastodon instance.
I do a request to https://pleroma.site/api/v1/apps like
curl --location --request POST 'https://pleroma.site/api/v1/apps' \
--form 'client_name=test_inbox' \
--form 'redirect_uris=urn:ietf:wg:oauth:2.0:oob'
and get a json with client_id, client_secret (and other stuff).
Then I do a request to https://pleroma.site/oauth/token lik
curl --location --request POST 'https://pleroma.site/oauth/token' \
--header 'Authorization: Bearer <...>' \
--form 'client_id=...' \
--form 'client_secret=...' \
--form 'redirect_uri=urn:ietf:wg:oauth:2.0:oob' \
--form 'grant_type=client_credentials'
and get a json like
{"access_token":"...","token_type":"Bearer","scope":"read","created_at":1603899685}
So far so good, and same as Mastodon. But now, when I do a request to https://pleroma.site/api/v1/apps/verify_credentials like
curl --location --request GET 'https://pleroma.site/api/v1/apps/verify_credentials' \
--header 'Authorization: Bearer ...'
I get a "403 Forbidden" response {"error": "Invalid credentials."}
What am I doing wrong? I didn't find a difference in the API at https://docs-develop.pleroma.social/backend/API/differences_in_mastoapi_responses/