Avnology ID
API ReferenceOAuth 2.1 / OIDC

Introspect Token

Check whether an access token or refresh token is active and retrieve its associated metadata.

Endpoint

POST /oauth2/introspect

Base URL: https://api-id.avnology.net

Content-Type: application/x-www-form-urlencoded

Authentication: Client credentials

Returns metadata about a token including whether it is active, the subject, scopes, and expiration. Use this on your resource server to validate access tokens received from clients.

Request

ParameterTypeRequiredDescription
tokenstringYesThe token to introspect
token_type_hintstringNoaccess_token or refresh_token
client_idstringYesYour client ID
client_secretstringYesYour client secret

Example Request

curl -X POST https://api-id.avnology.net/oauth2/introspect \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=eyJhbGciOiJSUzI1NiI..." \
  -d "client_id=cli_abc123def456" \
  -d "client_secret=cs_secret_value"

Response

Active Token

{
  "active": true,
  "sub": "usr_4f18acec-2712-4be7-a9af-b063b4f6deba",
  "client_id": "cli_abc123def456",
  "scope": "openid profile email",
  "iss": "https://api-id.avnology.net",
  "aud": ["cli_abc123def456"],
  "exp": 1712583300,
  "iat": 1712582400,

Inactive Token

{
  "active": false
}

An inactive response is returned when the token is expired, revoked, malformed, or was issued to a different client.

Code Examples

JavaScript (fetch)

async function introspectToken(token, clientId, clientSecret) {
  const response = await fetch('https://api-id.avnology.net/oauth2/introspect', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new

Python (httpx)

import httpx

def introspect_token(token: str, client_id: str, client_secret: str) -> dict:
    return httpx.post("https://api-id.avnology.net/oauth2/introspect", data={
        "token"

Go (net/http)

func introspectToken(ctx context.Context, token, clientID, clientSecret string) (*IntrospectionResult, error) {
	data
  • Token Endpoint -- obtain tokens
  • JWKS -- local JWT validation alternative
  • SDK: client.oauth.introspectToken(token) (TypeScript)

Revoke Token

Revoke an access token or refresh token to immediately invalidate it.

UserInfo Endpoint

Retrieve the authenticated user's profile claims using an OAuth access token.

On this page

EndpointRequestExample RequestResponseActive TokenInactive TokenCode ExamplesJavaScript (fetch)Python (httpx)Go (net/http)Related