- Tokens
- Access Tokens
- Refresh Tokens
- ID Tokens
- Proof-of-Possession (PoP) Tokens
-
Grant Type
- Scopes
- PKCE (RFC 7636)
- Client Management
- Authorization Requests
- User Authentication
- Error Handling
- Client Authentication
-
Introspection
- Introspection response for expired access token
- Checking if an access token has particular scopes
- Use cases for two introspection APIs
- Userinfo Endpoint
- JARM
- Device Flow (RFC 8628)
Introspection response for expired access token
Authlete's /auth/introspection API responds to requests with expired access token as follows:
- To the first request: The token has been expired. Authlete then removes the token from its database.
- To the second and subsequent requests: The token doesn't exist. Because the token has been removed at the first request.
How did we do with this article?