Introspect
This is an implementation of the Introspect endpoint as defined by the RFC 7662.
Request#
Inspect an access token issued by this OAuth provider
OpenAPI Spec
Request Headers#
AuthorizationStringoptionalThis header is optional if you have provided the client_id in the request body.
The client_secret may be provided in the request body as well, but may be optional depending on the OAuth grant and configuration settings. If provided, the client_secret must be valid.
Please see the Client Secret section for more details.
If providing client authentication using the Basic Authentication Scheme authorization header, the value is created by taking the clientId and clientSecret properties defined in the Application OAuth Configuration and concatenating them together using a : character.
Here is an example of these two values concatenated.
463228ba-868a-462d-b86f-6096af2d70e0:salkjdsoiu32ldslnkasglhilkja892This value is then Base64 encoded and prepended with the string Basic to denote the schema type. The following is an example Authorization header using the example concatenation above.
Authorization: Basic NDYzMjI4YmEtODY4YS00NjJkLWI4NmYtNjA5NmFmMmQ3MGUwOnNhbGtqZHNvaXUzMmxkc2xua2FzZ2xoaWxramE4OTI=The above concatenation example and resulting Authorization header are simply for demonstration. Your actual header value will be different.
Content-TypeStringrequiredThis value must be set to application/x-www-form-urlencoded.
Request Parameters#
Ensure you are sending these parameters as form encoded data in the request body, do not send these parameters in a query string.
client_idStringoptionalThe unique client identifier. The client Id is the Id of the FusionAuth Application in which you are attempting to authenticate.
This parameter is optional when the Authorization header is provided.
When the Authorization header is not provided, this parameter is then required.
Prior to version 1.46.0 this parameter was always required.
client_secretStringoptionalAvailable since 1.46.0The client secret.
This parameter is optional when the Authorization header is provided.
Please see the the Client Secret table for more details.
tokenStringrequiredThe access token returned by this OAuth provider as the result of a successful authentication.
Starting in version 1.46.0 this endpoint will also accept a token generated by the Client Credentials Grant.
token_type_hintStringoptionalAn optional hint to identify the token type.
When this value is omitted, the token can be an access_token or id_token. When this value is specified, it must match the token type.
In order to use a refresh token, this value must be set to refresh_token.
The possible values are:
access_tokenid_tokenrefresh_tokenAvailable since 1.60.0
Example HTTP Request
POST /oauth2/introspect HTTP/1.1
Host: piedpiper.fusionauth.io
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 436
client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTM3MTM3NzIsImlhdCI6MTUxMzcxMDE3MiwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiI3MWMxZjE5Yy1kZTRlLTRiZDEtODc3My0zNThkYmIwNWYxNWEiLCJlbWFpbCI6ImRhbmllbEBpbnZlcnNvZnQuY29tIiwiYXBwbGljYXRpb 25JZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMSIsImF1dGhlbnRpY2F0aW9uVHlwZSI6IlBBU1NXT1JEIiwicm9sZXMiOltdfQ.KxfM37hlw-5mKXOP9bCm7O6qdQdleT4gJmudhFueiJA
Response#
Response Codes
| Code | Description |
|---|---|
| 200 | The request was successful. |
| 400 | The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation. |
| 401 | The token provided in the request was not issued for the client_id provided on the request. |
| 500 | There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body#
This is an example response body when the provided access_token was issued on behalf of a user using the Authorization Code Grant, Implicit Grant, Password Credentials Grant or Refresh Token Grant.
activeStringWhen this value is true the token is valid and additional claims will be provided in the response body.
When this value is false no claims will be provided in the response body.
applicationIdUUIDThe unique Id of the Application for which the user has been authenticated. This claim is only present if the user is registered for the application.
audStringThe client_id that was used to request the access token.
When the application has a non-empty oauthConfiguration.authorizedResourceUris and a resource parameter was resolved during the OAuth flow, this value changes from a plain string to an array. The first element is always the client_id followed by each resolved resource URI: ["client_id", "https://resource1.example.com", ...].
auth_timeLongThe time of the initial authentication request, expressed as unix time. The value will not change even if the token is re-issued using a Refresh Token.
authenticationTypeStringThe method used to authenticate the user that resulted in the generated JWT. The possible values are:
APPLE- The user was authenticated using Apple. Available since 1.17.0APPLICATION_TOKEN- The user was authenticated using an Application Authentication Token.FACEBOOK- The user was authenticated using Facebook. Available since 1.1.0FEDERATED_JWT- The user was authenticated using a JWT from an external Identity Provider.GENERIC_CONNECTOR- The user was authenticated using a generic connector. Available since 1.18.0GOOGLE- The user was authenticated using Google. Available since 1.1.0HYPR- The user was authenticated using HYPR provider. Available since 1.12.0JWT_SSO- A valid JWT authorized to one Application was exchanged for another JWT authorized to a different Application.LDAP_CONNECTOR- The user was authenticated using an LDAP connector. Available since 1.18.0LINKEDIN- The user was authenticated using LinkedIn. Available since 1.23.0ONE_TIME_PASSWORDThe user was authenticated using a one time password. Available since 1.5.0OPENID_CONNECT- The user was authenticated using an external OpenID Connect provider. Available since 1.1.0PASSWORD- The user was authenticated using a loginId and password combination.PASSWORDLESS- The user was authenticated using a passwordless login link. Available since 1.5.0PING- The user was authenticated using aPUTrequest on the Login API. This is used to record a login event without prompting for credentials.REGISTRATION- The user was created using the Registration API. Available since 1.16.0REFRESH_TOKEN- The user requested a new JWT using a Refresh Token.SAMLv2- The user was authenticated using an external SAMLv2 provider. Available since 1.6.0TWITTER- The user was authenticated using Twitter. Available since 1.1.0USER_CREATE- The user was created using the User API. Available since 1.16.0
cnfObjectAvailable since 1.63.0The confirmation claim, which is present for DPoP tokens. The jkt field contains the base64url encoding of the JWK SHA-256 Thumbprint of the DPoP public key (in JWK format) to which the access token is bound.
emailStringThe email address of the user.
email_verifiedBooleanThe verification status of the email. This value is true when the email is verified.
expLongThe expiration instant of the access token, expressed as unix time.
iatLongThe instant the access token was issued, expressed as unix time.
issStringThe issuer of the access token.
jtiStringThe unique identifier of the access token.
phone_numberStringAvailable since 1.50.0The phone number of the user if available. user.phoneNumber or user.mobilePhone will be used in this order of precedence.
phone_number_verifiedBooleanAvailable since 1.59.0The verification status of the phone_number. This value is true when the phone number is verified.
preferred_usernameStringAvailable since 1.5.0The username of the user whose claims are represented by this JWT.
rolesStringThe roles assigned to the user in the authenticated Application.
scopeStringThe scope of the access token. This will only be present if scope was requested during authentication.
subUUIDThe subject of the token. The value is the unique Id of the FusionAuth user.
tidUUIDAvailable since 1.36.0The unique Id of the user's tenant.
Example JSON Response for a valid token
{
"active": true,
"applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
"aud": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
"authenticationType": "PASSWORD",
"email": "test0@fusionauth.io",
"email_verified": true,
"exp": 1487975407000,
"iat": 1487971807000,
"iss": "acme.com",
"phone_number": "+15555551212",
"phone_number_verified": true,
"roles": [
"admin"
],
"sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}
Example JSON Response for an invalid token
{
"active": false
}
Example JSON Response for a a valid refresh token
{
"active": true,
"exp": 1487975407000
}
Response Body#
Available Since Version 1.46.0
This is an example response body when the provided access_token was issued as the result of the Client Credentials Grant.
activeStringWhen this value is true the token is valid and additional claims will be provided in the response body.
When this value is false no claims will be provided in the response body.
audObjectThe intended audience of this access token. This value may be a string or an array of string values representing one to many intended entities.
cnfObjectAvailable since 1.63.0The confirmation claim, which is present for DPoP tokens. The jkt field contains the base64url encoding of the JWK SHA-256 Thumbprint of the DPoP public key (in JWK format) to which the access token is bound.
expLongThe expiration instant of the access token, expressed as unix time.
iatLongThe instant the access token was issued, expressed as unix time.
issStringThe issuer of the access token.
jtiStringThe unique identifier of the access token.
permissionsThe optional permissions requested for this access token. If no permissions were requested, this token represents all permissions allowed by the grant.
subUUIDThe subject of the token. The value is the unique Id of the FusionAuth user.
tidUUIDThe unique Id of the user's tenant.
Example JSON Response for an valid token
{
"active": true,
"aud": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
"exp": 1487975407000,
"iat": 1487971807000,
"iss": "acme.com",
"sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}
Example JSON Response for an invalid token
{
"active": false
}