Examine and introspect an access token locally. All standard and custom claims will be returned. No network calls are made when invoking this API method.
An error will be thrown if the token is not active.
This method supports only access tokens.
If an authorization_check object is passed in, this method will also check if the token contains scopes that are authorized to perform the specified action on the resource_id in the specified Organization.
The token to introspect.
If an authorization_check object is passed in, this endpoint will also check if the Member is authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if their Member Session contains a Role, assigned explicitly or implicitly, with adequate permissions. In addition, the organization_id passed in the authorization check must match the Member's Organization.
The Roles on the Member Session may differ from the Roles you see on the Member object - Roles that are implicitly assigned by SSO connection or SSO group will only be valid for a Member Session if there is at least one authentication factor on the Member Session from the specified SSO connection.
If the Member is not authorized to perform the specified action on the specified Resource, or if the organization_id does not match the Member's Organization, a 403 error will be thrown. Otherwise, the response will contain a list of Roles that satisfied the authorization check.
Globally unique UUID that identifies a specific Organization. The Organization's ID must match the Member's Organization
A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable.
A resource_id is not allowed to start with stytch, which is a special prefix used for Stytch default Resources with reserved resource_ids. These include:
Check out the guide on Stytch default Resources for a more detailed explanation.
An action to take on a Resource.
The scopes granted to the token.
The type of the token. Possible values are access_token and refresh_token.
The expiration time of the token, expressed as a Unix timestamp.
The time at which the token was issued, expressed as a Unix timestamp.
The subject of the token. This is a unique identifier for the user.
The issuer of the token. This is the domain of your project, e.g. https://${projectDomain} by default, or stytch.com/PROJECT_ID if the token was retrieved using the stytch.com domain. See the Custom Domain guide for more information.
The audience (project_id) that the token is intended for. Additional custom audiences can be defined for the token by setting the access_token_custom_audience parameter on the client object.
const stytch = require('stytch');
const client = new stytch.B2BClient({
project_id: 'PROJECT_ID',
secret: 'SECRET',
custom_base_url: '${projectDomain}',
});
const params = {
token: 'eyJ...',
};
const options = {
authorization_check: {
organization_id: 'organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931',
resource_id: 'documents',
action: 'create',
},
};
client.idp
.introspectTokenLocal(params, options)
.then((resp) => {
console.log(resp);
})
.catch((err) => {
console.log(err);
});{
"subject": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
"scope": "openid email profile",
"audience": ["PROJECT_ID"],
"client_id": "connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888",
"expires_at": 1738848103,
"issued_at": 1738844503,
"issuer": "https://${projectDomain}",
"token_type": "access_token"
}