The access token usually has an `aud` field that says for whom it is.
I'm not familiar with Gitea's implementation, but reading your link, it would seem that it acts as an oauth2 provider so that 3rd parties can access Gitea, not some other random app.
> Gitea supports acting as an OAuth2 provider to allow third party applications to access its resources with the user's consent.
The access token usually has an `aud` field that says for whom it is.
I'm not familiar with Gitea's implementation, but reading your link, it would seem that it acts as an oauth2 provider so that 3rd parties can access Gitea, not some other random app.
> Gitea supports acting as an OAuth2 provider to allow third party applications to access its resources with the user's consent.