Token Introspection (RFC 7662)

Allows a Resource Server to query the Authorization Server about the current state of an access token. Returns metadata including whether the token is active, its scopes, subject, and expiration. Essential for opaque tokens and revocation checking.

Try in Looking Glass

Sequence Diagram

Click any step for details

APIAuth Server1Introspection Request2Token Validation3Introspection Response
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
Introspection Request
Resource ServerAuthorization Server
2
Token Validation
Authorization ServerAuthorization Server
3
Introspection Response
Authorization ServerResource Server

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.

Security & privacy

· Dedicated security and privacy considerations.