After creating an OAuth2 authorization token, I still don't have any permissions. Why's that?

I have created an authorization token following the steps outlined in How do I create an OAuth2 token? (but this time with the production server rather then the test server).

I have changed the request url by adding a few prefs:

echo "  $AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=read_prefs+write_prefs+write_api+read_gpx+write_gpx+write_notes+write_diary"

After logging myself in to OpenStreetMap.org, I am asked authorize the following permissions, which I do:

  • Read user preferences
  • Modify user preferences
  • Modify the map
  • Read private GPS traces
  • Upload GPS traces
  • Modify notes
  • Create diary entries, comments and make friends

After authorizing them, it seems to me that I should have them. However, when I do in a shell:

AUTH_CODE='....'

I still have no permissions:

 curl -H "Authorization: Bearer $AUTH_CODE" https://api.openstreetmap.org/api/0.6/permissions

 <?xml version="1.0" encoding="UTF-8"?>
<osm version="0.6" generator="OpenStreetMap server" copyright="OpenStreetMap and contributors" attribution="http://www.openstreetmap.org/copyright" license="http://opendatacommons.org/licenses/odbl/1-0/">
  <permissions>
  </permissions>
</osm>

Where are steps 3 and 4 of the protocol?
https://wiki.openstreetmap.org/wiki/OAuth#Registering_your_application_as_OAuth_2.0_consumer
I think the access token still needs to be created.

This mentioned access token is required here instead of the authorization code.