The token introspect endpoint is used for determining the active state and the meta-information of an OAuth 2.0 token. Only an authorized protected resource can query an OAuth 2.0 authorization server for token introspection.
This endpoint returns a JSON response, which is implemented based on RFC 7662.
Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/v1/nam/introspect
Request method: POST
You must use any one of the following methods to authenticate a request:
Authorization header with any of the following values:
For client_secret_basic: Basic Base64Encode of(<client_id>:<client_secret>)
For bearer: Bearer <access_token_generated_using_client_credential_flow>
client_secret_post (using client_id and client_secret in request body parameters)
The following is the priority list in which token introspect considers these methods:
client_secret_basic
bearer
client_secret_post
If you send a request to token introspect endpoint with client_secret_post (client_id and client_secret in request body) and client_secret_basic (basic authorization header), the endpoint validates the request based on the credentials that are provided through client_secret_basic.
If values in client_secret_basic are invalid, the response displays 401 exception. The endpoint does not consider client_id and client_secret in client_secret_post when client_secret_basic is available in the request.
NOTE:If you provide more than one method for authentication, the introspect endpoint returns the response based on the priority.
The token introspect request should have the following parameters:
|
Parameter |
Required |
Description |
|---|---|---|
|
token |
Yes |
The token that requires to be introspected. (only the access tokens or the refresh tokens can be introspected). |
|
token_type_hint |
Optional |
The type of the token submitted for introspection. |
The response parameters are sent in JSON format with the following parameters:
|
Parameter |
Required |
Description |
|---|---|---|
|
active |
Yes |
A boolean value indicating whether the mentioned token in the introspection request is currently active. |
|
scope |
Optional |
A list of scopes associated with the token. |
|
client_id |
Optional |
The client identifier for the OAuth 2.0 client that requested this token. |
|
username |
Optional |
An identifier for the resource owner who authorized the token. |
|
token_type |
Optional |
The type of the token. |
|
exp |
Optional |
The timestamp in seconds indicating when the token will expire |
|
iat |
Optional |
The timestamp in seconds indicating when the token was issued. |
|
nbf |
Optional |
The timestamp indicating till when the token cannot be used. |
|
sub |
Optional |
A machine-readable identifier of the resource owner who authorized the token. |
|
aud |
Optional |
The intended audience of the token. |
|
iss |
Optional |
The issuer of the token. |
|
jti |
Optional |
A string identifier of the token. |