In this example, Apigee is proxying a 'solar system' API. When a resource is requested, Apigee is looking for a jwt - an Okta access token - in the header of the request. Apigee verifies the jwt against the key from the Okta authorization server's well-known endpoint. If the jwt is verified and contains the proper scopes, then the request is passed on to the target API endpoint.
Just authenticate as one of the users on the right to get started.
In this scenario, one user (Clark Kent) is subscribed to the "silver" level of access, which means he will be able to access the /planets endpoint with his access token by virtue of the "http://myapp.com/scp/silver" scope. Okta will mint the access token and include the "http://myapp.com/scp/silver" scope because Clark belongs to the "silverSubscribers" group in Okta.
Similarly, another user (Lois Lane) is subscribed to the "gold" level of access, which means she will be able to access the /moons endpoint, and she will also be able to access the /planets endpoint by virtue of the scopes included in her access token.
Try clicking on the buttons as an unauthenticated user, and then as Clark and Lois to get a sense of how the access tokens work with the API endpoints.
username: clark.kent
password: mars
username: lois.lane
password: mars