The PR to add tool token functionality, included functionality to check a tools claim in the jwt token. And if there is a tool claim, this token is only allowed to access api endpoints which are annotated with a @AllowedTools() annotation
This feature is not well documentated and should be done for example in docs/dev/guidelines/server.rst