Pull the field from the data instead of the headers
The vlidate endpoint will return scopes for a given user access token.
You cannot arbitarily get the scopes your ClientID has for a given user ID
See this uservoice
Grant will tell you when any grant occurs, but not the scope