Token Introspection

Token introspection is defined in RFC 7662 as a method for a protected resource to check the current state of a token. The resource server sends the token to the authorization server’s introspection endpoint and receives a JSON response indicating whether the token is active. If active, the response includes metadata such as the token’s scopes, the client that requested it, the subject it represents, and its expiration time.

This mechanism is especially useful with opaque tokens that the resource server cannot decode on its own. Rather than embedding all authorization data inside the token itself, the system can keep tokens short and let the resource server look up details on demand. Introspection also supports near-real-time revocation checks, because the authorization server can report a token as inactive the moment it is revoked.

For CIAM, token introspection enables resource servers to validate customer tokens centrally, supporting scenarios like immediate session termination and fine-grained access control.

Sources

• IETF RFC 7662, OAuth 2.0 Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662