Skip to main content

Introspect endpoint

This endpoint is used to check whether a token is valid, and whether the token was actually issued by your Authentication Cloud instance. You can use the endpoint to verify the authenticity of transaction tokens after successful authentications, such as after in-band operations.

note

This endpoint is modeled after OAuth 2 Token Introspection (RFC7662), thus the expected request payload is not JSON, but application/x-www-form-urlencoded.

HTTP request

POST https://{instance}.mauth.nevis.cloud/api/v1/introspect

Request body parameters

ParameterTypeRequired/OptionalDescription
tokenstringrequiredThe token to be verified, issued or provided by the Authentication Cloud. See the list of supported token below.

Supported tokens

The following tokens are supported by the introspect endpoint:

  • Access key: Used for authenticating API requests from server side. See the Authentication for details.
  • Transaction token: Returned by the Status endpoint. Use this token to verify whether the operation was really executed by your Authentication Cloud instance.
  • Status token: Returned by starting a registration or approval operation. Use this token to get the status of the registration or approval operation with the status endpoint.
  • Intent token: Short-living one-time token which is restricted to specific user and specific intent. See the Intent endpoint for details.

Example HTTP request

Code sample for checking the validity and authenticity of a token
# Set $token
curl "https://$instance.mauth.nevis.cloud/api/v1/introspect" \
  -XPOST \
  -H "Authorization: Bearer $access_key" \
  --data-urlencode "token=$token"

HTTP response

FieldTypeDescription
activebooleanIndicator of whether the presented token is currently active and is issued by this instance. If false is returned, then the token is never OK and not to be trusted.
iattimestampExpiration time, measured in the number of seconds since January 1 1970 UTC and indicating when this token expires, as defined in JSON Web Token (JWT) specification.
nbftimestampIdentifies the time before which the token must not be accepted for processing. It is measured in the number of seconds since January 1 1970 UTC, indicating when this token becomes valid, as defined in JSON Web Token (JWT) specification.
substringThe subject of the token, in case of transaction tokens, the userId of the user in the operation.
audenumAudience. Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JSON Web Token (JWT) specification.
issURIThe issuer of this token, as defined in the JSON Web Token (JWT) specification. The issuer is your Authentication Cloud instance, and it is presented in the following format: https://{instance}.mauth.nevis.cloud/.
jtistringUnique token identifier, as defined in the JSON Web Token (JWT) specification. In case of status tokens, this is the transaction identifier.
scopestringOnly present when an intent token is used. Contains the specific operation and channel to which the intent token is restricted to. For example enroll:sms,app. See the Intent endpoint for details.

Example HTTP response

200 OK: Active and valid access key

{
  "active": true,
  "iat": 1642436165000,
  "sub": "c8edb1d1-6dac-470f-b2fb-c25277a5c5b6",
  "aud": "api",
  "iss": "https://{instance}.mauth.nevis.cloud/"
}