Token Introspection

token

String

Required

Token to be introspected

token_type_hint

String

Required

Specifies which type of token to introspect:

To introspect an access token, use access_token as the value; to introspect a refresh token, use refresh_token as the value

client_id

String

Required

Client ID registered with digiRunner

client_secret

String

Optional

Scenario I. Higher-Security (Client Password Required)

Client Password registered with digiRunner

Scenario II. PKCE + Public Client (Client Password Not Required)

When the Public Client (With PKCE) option is selected in digiRunner's OAuth grant type, the parameter is not required.

active

Boolean

Indicates whether the token was issued by digiRunner, hasn't been revoked by the resource owner, and is still within its valid period. Returns true or false.

scope

String

Specifies the range of resources that the access token is granted permission to access

client_id

String

Use client_id as the value for OAuth

username

String

Identifies the user who authorized this token, such as an alias on the application

token_type

String

Indicates the type of the token, such as access_token or refresh_token

exp

Number

Token expiration time, an integer indicating the seconds since 1970-01-01T00:00:00Z UTC

iat

Number

Token issuance time by the OAuth Server, an integer indicating the seconds since 1970-01-01T00:00:00Z UTC when the token is issued by the OAuth Server.

nbf

Number

Token invalid time, an integer indicating the seconds since 1970-01-01T00:00:00Z UTC before the token becomes valid

sub

String

Identifies the user who authorized the token

aud

String

Indicates the audience intended to use the token

iss

String

Indicates the authorization server issuing the token

jti

String

Unique ID of this token, such as a UUID used when storing the token in a database to prevent replay attacks