Introspect an access token (RFC 7662)
Returns metadata about an access token (or {active: false} for an unknown, expired, or revoked token). The OAuth application must authenticate either via HTTP Basic or via client_id/client_secret in the body — the same credentials that minted the token.
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
curl -X POST "https://example.com/oauth/introspect" \ -H "Content-Type: application/json" \ -d '{}'{ "active": false}{ "error": "string", "error_description": "string"}Exchange client credentials for an access token POST
RFC 6749 §4.4 client_credentials grant. Accepts the client id and secret either in the request body or via HTTP Basic auth, plus an optional space-separated `scope` parameter. The minted token is a bearer string prefixed with `oat_` and expires in one hour. Refresh tokens are not issued for this grant — request a new one when the previous expires.
Revoke an access token (RFC 7009) POST
Marks an access token as revoked. Subsequent requests presenting it return 401 unrecognized_token. Always returns 200 for valid client credentials, regardless of whether the token existed — per RFC 7009 to avoid leaking token-existence information.