Is there a standardised way of differentiating that an access token has been created through either client credentials or authorisation code flows? I know that the authorization code flow is used for user authentication and contains user personal information but besides those claims that might be attached to jwt, is there a standard good practice to know that a token has been created through a specific flow without knowing beforehand?
One option is to include a client claim, that is specific to the client that requested the tokens.
For example, with IdentityServer, you have a concept of ClientClaims that you can read more about here. ClientClaims are claims that are specific to a client and not vary depending on the user.
Access token generated by a user, also typically includes the AMR claim and access tokens using client credentials flow do not contain the AMR claim.
Read more about the AMR claim here.