> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate Access Token (Local)

> Authenticate a Connected App access token.

export const isB2B_0 = undefined

export const projectDomain_0 = undefined

Examine and introspect an access token locally. All standard and custom claims will be returned. No network calls are made when invoking this API method.

An error will be thrown if the token is not active.

This method supports **only** [access tokens](../tokens/connected-app-access-token-object).

If an `authorization_check` object is passed in, this method will also check if the token contains scopes that are authorized to perform the specified action on the `resource_id` in the specified Organization.

## Body

<ParamField body="token" type="string" required>
  The token to introspect.
</ParamField>

{isB2B_0 &&
<ParamField body="authorization_check" type="object">
  <p>If an <code>authorization_check</code> object is passed in, this method will also check if the Member is authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if their Member Session contains a Role, assigned <a href="/multi-tenant-authentication/guides/rbac/role-assignment">explicitly or implicitly</a>, with adequate permissions. In addition, the <code>organization_id</code> passed in the authorization check must match the Member's Organization.</p>

  <p>The Roles on the Member Session may differ from the Roles you see on the Member object - Roles that are implicitly assigned by SSO connection or SSO group will only be valid for a Member Session if there is at least one authentication factor on the Member Session from the specified SSO connection.</p>

  <p>If the Member is not authorized to perform the specified action on the specified Resource, or if the <code>organization_id</code> does not match the Member's Organization, a 403 error will be thrown. Otherwise, the response will contain a list of Roles that satisfied the authorization check.</p>

  <Expandable>
    <ResponseField name="organization_id" type="string">
      Globally unique UUID that identifies a specific Organization. The Organization's ID must match the Member's Organization.
    </ResponseField>
    <ResponseField name="resource_id" type="string">
      A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. A <code>resource_id</code> is not allowed to start with <code>stytch</code>, which is a special prefix used for Stytch default Resources with reserved <code>resource_id</code>s. These include <code>stytch.organization</code>, <code>stytch.member</code>, <code>stytch.sso</code>, and <code>stytch.self</code>. Check out the <a href="/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy#default-roles-and-resources">guide on Stytch default Resources</a> for a more detailed explanation.
    </ResponseField>
    <ResponseField name="action" type="string">
      An action to take on a Resource.
    </ResponseField>
  </Expandable>
</ParamField>
}

## Response

<ResponseField name="scope" type="string">
  The scopes granted to the token.
</ResponseField>

<ResponseField name="token_type" type="string">
  The type of the token. Possible values are `access_token` and `refresh_token`.
</ResponseField>

<ResponseField name="expires_at" type="string">
  The expiration time of the token, expressed as a Unix timestamp.
</ResponseField>

<ResponseField name="issued_at" type="string">
  The time at which the token was issued, expressed as a Unix timestamp.
</ResponseField>

<ResponseField name="subject" type="string">
  The subject of the token. This is a unique identifier for the user.
</ResponseField>

<ResponseField name="issuer" type="string">
  The issuer of the token. This is the domain of your project, e.g. https\://\${projectDomain_0} by default, or stytch.com/PROJECT\_ID if the token was retrieved using the stytch.com domain. See the [Custom Domain](/connected-apps/resources/custom-domains) guide for more information.
</ResponseField>

<ResponseField name="audience" type="string">
  The audience (project\_id) that the token is intended for. Additional custom audiences can be defined for the token by setting the `access_token_custom_audience` parameter on the client object.
</ResponseField>

<Panel>
  <RequestExample>
    ```js Node SDK theme={null}
    const stytch = require('stytch');

    const client = new stytch.B2BClient({
      project_id: '${projectId}',
      secret: '${secret}',
      custom_base_url: '${projectDomain}',
    });

    const params = {
      token: 'eyJ...',
    };

    const options = {
      authorization_check: {
        organization_id: '${organizationId}',
        resource_id: 'documents',
        action: 'create',
      },
    };

    client.idp
      .introspectTokenLocal(params, options)
      .then((resp) => {
        console.log(resp);
      })
      .catch((err) => {
        console.log(err);
      });

    ```

    ```go Go SDK theme={null}
    package main

    import (
    	"context"
    	"log"

    	"github.com/stytchauth/stytch-go/v16/stytch/b2b/b2bstytchapi"
    	"github.com/stytchauth/stytch-go/v16/stytch/b2b/idp"
    )

    func main() {
    	client, err := b2bstytchapi.NewClient(
    		"${projectId}",
    		"${secret}",
    		b2bstytchapi.WithBaseURI("${projectDomain}"),
    	)
    	if err != nil {
    		log.Fatalf("error instantiating client: %v", err)
    	}

    	resp, err := client.IDP.IntrospectTokenLocal(context.Background(), &idp.IntrospectTokenLocalParams{
    		Token: "eyJ...",
    	})
    	if err != nil {
    		log.Fatalf("error in method call: %v", err)
    	}

    	log.Println(resp)
    }
    ```

    ```python Python SDK theme={null}
    from stytch import B2BClient
    from stytch.b2b.models.sessions import AuthorizationCheck

    client = B2BClient(
        project_id="${projectId}",
        secret="${secret}",
        custom_base_url="${projectDomain}",
    )

    resp = client.idp.introspect_token_local(
        token="eyJ...",
        authorization_check=AuthorizationCheck(
          organization_id='${organizationId}',
          resource_id='documents',
          action='create'
        ),
    )

    print(resp)

    ```

    ```ruby Ruby SDK theme={null}
    require 'stytch'

    client = StytchB2B::Client.new(
      project_id: '${projectId}',
      secret: '${secret}',
      custom_base_url: '${projectDomain}',
    )

    resp = client.idp.introspect_token_local(
        token="eyJ...",
    )

    print(resp)

    ```
  </RequestExample>

  <ResponseExample>
    ```json 200 theme={null}
    {
      "subject": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
      "scope": "openid email profile",
      "audience": ["PROJECT_ID"],
      "client_id": "connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888",
      "expires_at": 1738848103,
      "issued_at": 1738844503,
      "issuer": "https://${projectDomain}",
      "token_type": "access_token"
    }
    ```
  </ResponseExample>
</Panel>
