Introspection response for expired access token

When an resource server makes a request to Authlete's /auth/introspection API, and the request includes an expired access token, Authlete works as follows:
  • To the first request: Authlete determines the token has been expired and then removes the token from its database.
  • To the second and subsequent requests: Authlete determines the token doesn't exist. Because the token has been removed at the first request.
In either case, a value of "action" in a response from the API would be "UNAUTHORIZED".

See also:
How did we do with this article?