Error in Access Token Response?

Probably a minor error in the API, but when requesting an access token from https://www.geni.com/oauth/token the returned POST response is tagged as "ContentType = application/json; charset=utf-8", but the data is obviously using ContentType = "application/x-www-form-urlencoded" like this result: access_token=aBlZqgBbjRS6dKxndZthtsI2u7EgOg9tluTfFkIS

As far as I understand the OAuth2 standard the response should be JSON like this:
{ "access_token":"aBlZqgBbjRS6dKxndZthtsI2u7EgOg9tluTfFkIS"}

I think the JSON in the spec is only an example. Later they use a form-urlencoded example. The spec seems to be ambiguous on that.

I'll add a way to request the specific response type by adding a format parameter (eg format=json).

In any case the returned ContentType today tells that the data is json, so this is an error since the content is x-www-form-urlencoded, not JSON (got an error on this)

Using a format parameter is not supplied by the spec.

The Geni API does not follow the Error Response recommendation of the OAuth2 standard either.

http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-5.2

I tested my app by fabricating some of the errors. - Yes, I am very focused on following (and making) standards ;-)

Access token responses will be JSON only after the next update.

Background:
Our API test client was relying on an older oauth2 gem which has been updated to work properly with JSON. I've updated the API test client code as well.

Looks like the JSON update won't be going out with the next update.
We need to notify some of our API users before the change can go live.

Thanks.

A summary from a private discussion:

* I discovered that there was no auto-expire on access_token's, resulting in that even three months old access_token examples posted to these discussions gave me API access to all private profiles of that user (including my example above that was temporary deleted until the issue was solved). This is now solved.
Never post examples with valid access_token - that gives everyone an open door to your login, - for me as a curator a valid access_token from me would give everyone curator access to all public profiles in Geni (90 millions?) ;-) Geni should consider betters signing of API requests and not only a simple access_token

* access_token's will expire in 24-hours(?)

* access token responses will be JSON after the next update.

* Calling https://www.geni.com/oauth/invalidate?access_token=<token> will invalidate the token and should be used to log out your application.

* Returned data from request_token will be JSON and also include the expires_in parameter.
Example: http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1.4