new_tokens = client.oauth.refresh_token(refresh_token="rt_abc123...")

print(new_tokens.access_token)   # New access token
print(new_tokens.refresh_token)  # New refresh token (rotated)

# Revoke refresh token (also invalidates derived access tokens)
client.oauth.revoke_token(token="rt_abc123...", token_type_hint="refresh_token")

# Revoke specific access token
client.oauth.revoke_token(token="eyJ...", token_type_hint="access_token")

result = client.oauth.introspect_token(token=access_token)

if result.active:
    print(f"User: {result.sub}")
    print(f"Scopes: {result.scope}")
    print(f"Expires: {result.exp}")
    print(f"Org: {result.org_id}")
else:
    print("Token is expired or revoked")

def require_auth(f):
    """Decorator to protect endpoints with token validation."""
    @wraps(f)
    def decorated(*args, **kwargs):
        auth_header = request.headers.get("Authorization", "")
        if not auth_header.startswith("Bearer "):
            return jsonify({"error": "missing_token"}), 401

        token = auth_header.removeprefix("Bearer ")
        result = client.oauth.introspect_token(token=token)

        if not result.active:
            return jsonify({"error": "invalid_token"}), 401

        g.user_id = result.sub
        g.scopes = result.scope.split()
        g.org_id = result.org_id
        return f(*args, **kwargs)

    return decorated

claims = client.oauth.verify_token(access_token)
print(claims.sub)    # User ID
print(claims.email)  # Email