Token introspection

The Token Introspection service implements RFC 7662, providing an endpoint for authorized resource servers to query whether an access or refresh token is currently active and to retrieve its associated metadata. A resource server posts the token to this endpoint and receives a JSON response with the active state and optional claims such as scope, subject, client ID, and expiry time. nevisAuth validates the token against the AuthorizationServer AuthState that issued it, identified either by a URL path segment or implicitly when a single authorization server is configured in the service. Callers must authenticate using one of the configured methods, which defaults to HTTP Basic client credentials. This service is a key building block for protecting APIs without embedding token validation logic directly in each resource server.

📄️ Introspect a token for the AuthorizationServer

Validates the submitted token against the single `AuthorizationServer` configured in this service

📄️ Introspect a token for a given AuthorizationServer

Validates the submitted token against the `AuthorizationServer` identified by the path parameter