Documentation
Introspect
Check whether an access or refresh token is active and return its metadata.
POST/api/auth/oauth2/introspect
Purpose
RFC 7662 token introspection. Use this when your resource server needs to validate opaque tokens, or when you want the authorization server to confirm JWT status without local JWKS verification alone.
Tip
First-party apps that issue JWT access tokens should also call
/api/internal/user-access on session checks — bans and grant revocations are not reflected in JWT signatures.Request
| Field | Description |
|---|---|
token | Access or refresh token value |
token_type_hint | Optional: access_token or refresh_token |
client_id / client_secret | Client authentication (confidential clients) |
Response
JSON introspection payload. When the token is invalid or revoked, active is false. Active tokens include claims such as scope, client_id, exp, and sub when available.
Example
introspect.sh
curl -X POST "https://auth.rdnt.live/api/auth/oauth2/introspect" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=ACCESS_OR_REFRESH_TOKEN" \
-d "token_type_hint=access_token" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET"