In the sandbox, when changing marketplace app / API permissions I need to uninstall and reinstall the app from the marketplace in order to get an API token that has the updated permissions. Simply using the OAuth flow to obtain a new API token gives the old permissions, not the new permissions.
Is this a bug or is this how it's supposed to work? If so, how are we supposed to update permissions on production? Asking merchants to uninstall and reinstall the app is not a solution.