POST /oauth/introspect
The /oauth/introspect endpoint is used to verify a token and to translate it into claims. Introspection is defined in RFC 7662.
A token can only be introspected by a client within the same merchant, or by a client who is the intended audience, meaning the service domain of the introspecting client must be in the aud claim array. For further information on cross merchant introspection, see Specifying a resource indicator.
Request
POST /oauth/introspect
Authorization: Basic NGU4NDYz...OmZvb2Jhcg==
Content-Type: application/x-www-form-urlencoded
token=eyJ0eXAiOiJK...jUaR-nZOx5MGg
Response
Request with valid, non-expired token
HTTP/1.1 200 OK
Content-Length: 622
Content-Type: application/json
Date: Mon, 29 Feb 2016 13:37:00 GMT
{
"sub": "5d75167d-8841-5072-89cb-985915e2dbb3",
"aud": [
"http://example.com"
],
"scope": "profile address email phone",
"iss": "https://login.schibsted.com/",
"active": true,
"token_type": "Bearer",
"exp": 1503928222,
"iat": 1503924622,
"client_id": "4e8463569caf7ca019000007",
"jti": "45e73931-fcd6-4260-b5eb-51286c781e53"
}
Request with invalid token
Invalid token can be an expired token, a token not intended for the introspecting client, or a non JWT token.
HTTP/1.1 200 OK
Content-Length: 230
Content-Type: application/json
Date: Mon, 29 Feb 2016 13:37:00 GMT
{
"active": false
}
Failure cases
- 400 Bad Request Missing token
- 401 Unauthorized Invalid client credentials
See also
- POST /oauth/token
- POST /oauth/register
- POST /oauth/ro
- GET /oauth/userinfo
- GET /oauth/jwks
- GET /oauth/authorize
- Server to Server Auth
- Token introspection
Help us improve
Did you spot an error? Or maybe you just have a suggestion for how we can improve? Leave a comment, or better yet, send us a pull request on GitHub to fix it (in-browser editing, only takes a moment).
Comments/feedback
Do you have questions, or just want to contribute some newly gained insight? Want to share an example? Please leave a comment. Our team reads and responds to every question. Additionally, your experience can help others using Schibsted account, and it can help us continuously improve our documentation.