Authentication for introspection endpoint

The documentation relating to introspection : https://www.keycloak.org/docs/4.8/authorization_services/#_service_protection_token_introspection

Gives the following info;

To introspect an RPT using this endpoint, you can send a request to the server as follows:

```
*curl -X POST *

The request above is using HTTP BASIC and passing the client’s credentials (client ID and secret) to authenticate the client attempting to introspect the token, but you can use any other client authentication method supported by Keycloak.

I am using the Oathkeeper authenticator which only allows configuring a bearer token as authentication method when calling out to the introspection endpoint. However i do not know what scopes or config I need for the calling client to allow this to work, so far my attempts just result in an Authentication Failed message.

What scopes or other config do I need to setup.