...
Extract client_id from token.
Check client scopes in order to perform this action (scope = 'observation:practical_monitor')
in case of error - return 403 (“Your scope does not allow to access this resource. Missing allowances: observation:practical_monitor”)
Check legal entity type (type = NHS)
In case of error - return 403 ('You don't have permission to access this resource')
Check legal entity status (status = ACTIVE)
In case of error - return 409 ('client_id refers to legal entity that is not active')
...