Documentation

Introspect

Check whether an access or refresh token is active and return its metadata.

POST/api/auth/oauth2/introspect

Purpose

RFC 7662 token introspection. Use this when your resource server needs to validate opaque tokens, or when you want the authorization server to confirm JWT status without local JWKS verification alone.

Tip
First-party apps that issue JWT access tokens should also call /api/internal/user-access on session checks — bans and grant revocations are not reflected in JWT signatures.

Request

FieldDescription
tokenAccess or refresh token value
token_type_hintOptional: access_token or refresh_token
client_id / client_secretClient authentication (confidential clients)

Response

JSON introspection payload. When the token is invalid or revoked, active is false. Active tokens include claims such as scope, client_id, exp, and sub when available.

Example

introspect.sh
curl -X POST "https://auth.rdnt.live/api/auth/oauth2/introspect" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=ACCESS_OR_REFRESH_TOKEN" \
  -d "token_type_hint=access_token" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"