I'm using API Gateway to expose a Cloud Run instance to the internet.

The gateway is configured to use `oauth2` authentication, i.e. only clients with valid credentials from a service account JSON key file are able to authenticate and therefore access the backend functionality. The users of the API are creating their own self-signed JWT access tokens based on details from the JSON key file.

1. Is there some way for a user of the API to get an access token that doesn't involved having to craft one themselves?

The service was penetration tested and one of the findings was that TLS 1.0 and 1.1 are both offered.
2. Is it possible to disable TLS 1.0 and 1.1 while leaving TLS 1.2 and 1.3 enabled?