OAuth 2 Compliant
This endpoint is compliant with the Token Introspection Endpoint specification.
Client Authentication
This API can only be called by confidential clients (i.e.,
BACKEND_SERVER
andMACHINE_TO_MACHINE
client types) and they must supply their client ID and secret in theAuthorization
header using the Basic Authentication scheme. For example,Authorization: Basic base64Encode(<client_id>:<client_secret>)
.
API that can be used to introspect the following tokens:
- Access Token
- Refresh Token
- ID Token
Introspection can be used to assert that a token is valid and also extract the claims from the token. Typically, for performance benefits, token validation should be done locally instead of calling the Token Introspection Endpoint. However, in some cases it may be more convenient to call the Token Introspection Endpoint.