Appearance
POST /api/oauth/introspect
Introspect an access token or refresh token (RFC 7662).
Endpoint
text
POST /api/oauth/introspectContent Type
Send application/x-www-form-urlencoded.
Client Authentication
Supported methods:
client_secret_basicclient_secret_post
Required form fields
| Field | Description |
|---|---|
token | The access token or refresh token to inspect. |
client_id | Required unless sent via HTTP Basic auth. |
client_secret | Required unless sent via HTTP Basic auth. |
Optional form fields
| Field | Description |
|---|---|
token_type_hint | Optional hint: access_token or refresh_token. |
Refresh tokens are detected automatically when the token value starts with rt_.
Success Response
Active access token
json
{
"active": true,
"scope": "openid profile email",
"client_id": "your-client-id",
"username": "0b8f7c17-5f43-4f8a-9a43-0e1f2a3b4c5d",
"sub": "0b8f7c17-5f43-4f8a-9a43-0e1f2a3b4c5d",
"token_type": "Bearer",
"exp": 1718816400,
"iat": 1718812800,
"jti": "550e8400-e29b-41d4-a716-446655440000",
"aud": "eprospera-api",
"iss": "https://portal.eprospera.com"
}Active refresh token
json
{
"active": true,
"scope": "openid profile email offline_access",
"client_id": "your-client-id",
"username": "0b8f7c17-5f43-4f8a-9a43-0e1f2a3b4c5d",
"sub": "0b8f7c17-5f43-4f8a-9a43-0e1f2a3b4c5d",
"token_type": "refresh_token",
"exp": 1735689600,
"iat": 1718812800
}Inactive token
json
{
"active": false
}A token is inactive when it is missing, expired, revoked, or was not issued to the authenticated client.
Error Responses
400 Bad Request
json
{
"error": "invalid_request"
}401 Unauthorized
json
{
"error": "invalid_client"
}429 Too Many Requests
json
{
"error": "invalid_request"
}500 Internal Server Error
json
{
"error": "internal_server_error"
}Notes
- Revoked access tokens always return
{ "active": false }. - Responses include
Cache-Control: no-storeandPragma: no-cache.