Curity's Jonas Iggbom recently contributed to the Kong Inc. blog. In the article, he explains how you can establish token-based access control using the Curity Identity Service, Kong Gateway, and Open Policy Agent.
The blog post focuses on implementing the Phantom Token Approach to achieve Level 3 of the API Security Maturity Model. This approach externally uses opaque (reference) access tokens, exchanging them for a signed JSON Web Token (JWT) with scopes and claims in Kong Gateway. The system then passes that information onward to the upstream API.
Read the article Token-Based Access Control With Kong, OPA and Curity here.