POST /oauth/introspect

The /oauth/introspect endpoint is used to verify a token and to translate it into claims. Introspection is defined in RFC 7662.

A token can only be introspected by a client within the same merchant, or by a client who is the intended audience, meaning the service domain of the introspecting client must be in the aud claim array. For further information on cross merchant introspection, see Specifying a resource indicator.


POST /oauth/introspect
Authorization: Basic NGU4NDYz...OmZvb2Jhcg==
Content-Type: application/x-www-form-urlencoded



Request with valid, non-expired token

HTTP/1.1 200 OK
Content-Length: 622
Content-Type: application/json
Date: Mon, 29 Feb 2016 13:37:00 GMT

    "sub": "5d75167d-8841-5072-89cb-985915e2dbb3",
    "aud": [
    "scope": "profile address email phone",
    "iss": "",
    "active": true,
    "token_type": "Bearer",
    "exp": 1503928222,
    "iat": 1503924622,
    "client_id": "4e8463569caf7ca019000007",
    "jti": "45e73931-fcd6-4260-b5eb-51286c781e53"

Request with invalid token

Invalid token can be an expired token, a token not intended for the introspecting client, or a non JWT token.

HTTP/1.1 200 OK
Content-Length: 230
Content-Type: application/json
Date: Mon, 29 Feb 2016 13:37:00 GMT

    "active": false

Failure cases

  • 400 Bad Request Missing token
  • 401 Unauthorized Invalid client credentials

See also

Help us improve

Did you spot an error? Or maybe you just have a suggestion for how we can improve? Leave a comment, or better yet, send us a pull request on GitHub to fix it (in-browser editing, only takes a moment).

History of this page


Do you have questions, or just want to contribute some newly gained insight? Want to share an example? Please leave a comment. Our team reads and responds to every question. Additionally, your experience can help others using Schibsted account, and it can help us continuously improve our documentation.