Introspect OAuth2 Access and Refresh Tokens
The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token
is neither expired nor revoked. If a token is active, additional information on the token will be included. You can
set additional data for a token by setting session.access_token
during the consent flow.
Request Body
The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0. For refresh tokens, this is the "refresh_token" value returned.
An optional, space separated list of required scopes. If the access token was not granted one of the scopes, the result of active will be false.
- 200
- 400
- 401
Successful token introspection
Schema
Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time).
Audience contains a list of the token's intended audiences.
ID is aclient identifier for the OAuth 2.0 client that requested this token.
Expires at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire.
ext object
Extra is arbitrary data set by the session.
Issued at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued.
IssuerURL is a string representing the issuer of this token
NotBefore is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before.
ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization.
It is the sub
value of the ID Token that was issued.
Scope is a JSON string containing a space-separated list of scopes associated with this token.
Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token.
TokenType is the introspected token's type, typically Bearer
.
TokenUse is the introspected token's use, for example access_token
or refresh_token
.
Username is a human-readable identifier for the resource owner who authorized this token.
{
"active": true,
"scope": "openid offline collection bookmark reading_session preference user",
"client_id": "quran-demo",
"sub": "a4f5a01a-a641-4b23-ba05-d002b704bfaa",
"exp": 1675239767,
"iat": 1675236166,
"nbf": 1675236166,
"aud": [],
"iss": "https://oauth2.quran.foundation/",
"token_type": "Bearer",
"token_use": "access_token"
}
Bad request
Schema
Error code
Error Debug Information
Only available in dev mode.
Human-readable ASCII text providing additional information about the error
Error Hint
Helps the user identify the error cause.
HTTP Status Code
{
"error": "invalid_client",
"error_debug": "string",
"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist.",
"error_hint": "The redirect URL is not allowed.",
"status_code": 401
}
Unauthorized - invalid client credentials
Schema
Error code
Error Debug Information
Only available in dev mode.
Human-readable ASCII text providing additional information about the error
Error Hint
Helps the user identify the error cause.
HTTP Status Code
{
"error": "invalid_client",
"error_debug": "string",
"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist.",
"error_hint": "The redirect URL is not allowed.",
"status_code": 401
}