Stytch – The most powerful identity platform built for developers

Introspect Token

POST

https://${projectDomain}/v1/oauth2/introspect

Examine and introspect a token for the given Connected Apps client. All standard OIDC claims, as well as custom claims, will be returned.

The active status can be used to determine if the token is active.

This endpoint supports both access tokens and refresh tokens.

Important: Unlike other Stytch API endpoints, this endpoint is not authenticated with a project_id and project_secret pair. Instead, it is authenticated via the client_id and client_secret of an active Connected App Client within the current project.

This endpoint is an RFC-7662 compliant token introspection endpoint.

This endpoint supports passing the client_id and client_secret within the request body as well as within a HTTP-Basic Auth header.
This endpoint supports the application/x-www-form-urlencoded content type.

If an authorization_check object is passed in, this method will also check if the token contains scopes that are authorized to perform the specified action on the resource_id in the specified Organization.

We recommend using the Custom Domain whenever possible. For backwards compatibiliy reasons, this endpoint is also available at https://test.stytch.com/v1/public/${projectId}/oauth2/introspect.

Body parameters

token* string

The token to introspect.

token_type_hint string

A hint for the type of the token. Possible values are access_token and refresh_token.

client_id* string

The ID of the Connected App client.

client_secret string

The secret of the Connected App client. Required for confidential clients

Response fields

active boolean

Whether the token is active.

scope string

The scopes granted to the token.

client_id string

The ID of the Connected App client.

token_type string

The type of the token. Possible values are access_token and refresh_token.

exp string

The expiration time of the token, expressed as a Unix timestamp.

iat string

The time at which the token was issued, expressed as a Unix timestamp.

sub string

The subject of the token. This is a unique identifier for the user.

iss string

The issuer of the token. This is the domain of your project, e.g. https://${projectDomain} by default, or stytch.com/PROJECT_ID if the token was retrieved using the stytch.com domain. See the Custom Domain guide for more information.

aud string

The audience (project_id) that the token is intended for. Additional custom audiences can be defined for the token by setting the access_token_custom_audience parameter on the client object.

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
  custom_base_url: '${projectDomain}',
});

const params = {
  token: 'eyJ...',
  client_id: 'connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888',
  client_secret: 'NHQhc7ZqsXJVtgmN2MXr1etqsQrGAwJ-iBWNLKY7DzJq',
  token_type_hint: 'access_token',
};

const options = {
  authorization_check: {
    organization_id: 'organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931',
    resource_id: 'documents',
    action: 'create',
  },
};

client.idp
  .introspectTokenNetwork(params, options)
  .then((resp) => {
    console.log(resp);
  })
  .catch((err) => {
    console.log(err);
  });

RESPONSE 200

{
	"active": true,
	"aud": ["PROJECT_ID"],
	"client_id": "connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888",
	"exp": 1738848103,
	"iat": 1738844503,
	"iss": "https://${projectDomain}",
	"scope": "openid email profile",
	"sub": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
	"token_type": "access_token",
	"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
	"status_code": 200
}

RESPONSE 200 Inactive Token

{
	"active" false,
	"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
	"status_code": 200
}

RESPONSE 404

{
  "status_code": 404,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "idp_client_not_found",
  "error_message": "The IDP client requested could not be found.",
  "error_url": "https://stytch.com/docs/api/errors/404"
}

RESPONSE 429

{
  "status_code": 429,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "too_many_requests",
  "error_message": "Too many requests have been made.",
  "error_url": "https://stytch.com/docs/api/errors/429"
}

RESPONSE 500

{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}

Delete

Organization

Discovery

Organization

Discovery

Discovery

Organization

Token

SAML

OIDC

External

Shared

Connection management

Token management

SCIM groups

Create or Reset Options

One-time passcodes

Time-based one-time passcodes

Recovery codes

TOKEN

M2M Client

Rotate secret

Tokens

Configuration

Methods

Consent Management

Application Management

Rotate secret

Introspect Token

Body parameters

Response fields