Introspect a token

curl --request POST \
  --url https://api.hq.zone/v1/oauth/introspect \
  --header 'Content-Type: application/json' \
  --data '
{
  "client_id": "<string>",
  "token": "<string>",
  "client_secret": "<string>",
  "token_type_hint": "<string>"
}
'

{
  "active": true,
  "client_id": "<string>",
  "exp": 123,
  "iat": 123,
  "scope": "<string>",
  "sub": "<string>",
  "token_type": "<string>",
  "username": "<string>"
}

Authentication

Introspect a token

RFC 7662 token introspection: the calling client authenticates (client_id, plus client_secret for confidential clients) and submits a token to check, as form or JSON. Returns active true only for a token that the authenticated client itself issued and that is neither revoked nor expired, along with its scope, client_id, username, token_type, exp, iat, and sub; for any other token (unknown, expired, revoked, or belonging to a different client) it returns active false without leaking details.

POST

oauth

introspect

Introspect a token

curl --request POST \
  --url https://api.hq.zone/v1/oauth/introspect \
  --header 'Content-Type: application/json' \
  --data '
{
  "client_id": "<string>",
  "token": "<string>",
  "client_secret": "<string>",
  "token_type_hint": "<string>"
}
'

{
  "active": true,
  "client_id": "<string>",
  "exp": 123,
  "iat": 123,
  "scope": "<string>",
  "sub": "<string>",
  "token_type": "<string>",
  "username": "<string>"
}

Token introspection (RFC 7662)

Reports whether a token is currently active and returns its metadata (scope, expiry, subject). Send the token as a form field token (application/x-www-form-urlencoded). Returns { "active": false } for unknown, expired, or revoked tokens.

Body

application/json

RFC 7662. The calling client authenticates (client_id + secret for confidential). Form or JSON.

client_id

string

required

token

string

required

client_secret

string | null

token_type_hint

string | null

Response

Token metadata for a token this client issued, or { active: false }

active

boolean

required

client_id

string | null

exp

integer<int64> | null

iat

integer<int64> | null

scope

string | null

sub

string | null

token_type

string | null

username

string | null

OAuth token endpoint Revoke a token

⌘I

​Token introspection (RFC 7662)

Body

Response

Token introspection (RFC 7662)