Skip to main content

Introspect OAuth2 Access and Refresh Tokens

The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting session.access_token during the consent flow.

Request Body
    token string required

    The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0. For refresh tokens, this is the "refresh_token" value returned.

    scope string

    An optional, space separated list of required scopes. If the access token was not granted one of the scopes, the result of active will be false.

Responses

Successful token introspection


Schema
    active boolean required

    Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time).

    aud string[]

    Audience contains a list of the token's intended audiences.

    client_id string

    ID is aclient identifier for the OAuth 2.0 client that requested this token.

    exp int64

    Expires at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire.

    ext object

    Extra is arbitrary data set by the session.

    iat int64

    Issued at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued.

    iss string

    IssuerURL is a string representing the issuer of this token

    nbf int64

    NotBefore is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before.

    obfuscated_subject string

    ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization. It is the sub value of the ID Token that was issued.

    scope string

    Scope is a JSON string containing a space-separated list of scopes associated with this token.

    sub string

    Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token.

    token_type string

    TokenType is the introspected token's type, typically Bearer.

    token_use string

    TokenUse is the introspected token's use, for example access_token or refresh_token.

    username string

    Username is a human-readable identifier for the resource owner who authorized this token.

Loading...