- Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)
- Authlete's policy on sweeping unused tokens
- How to specify token(s) on updating its information
- Token duration per scope
- Changing token duration
- How to calculate token duration
- Access Tokens
- Refresh Tokens
- ID Tokens
- PKCE (RFC 7636)
- Client Management
- Authorization Endpoint
- User Authentication
- Error Handling
- Client Authentication
- Userinfo Endpoint
- Introspection response for expired access token
- How to specify scopes to be checked
Introspection response for expired access token
Authlete's /auth/introspection API responds to requests with expired access token as follows:
- To the first request: The token has been expired. Authlete then removes the token from its database.
- To the second and subsequent requests: The token doesn't exist. Because the token has been removed at the first request.
How did we do with this article?