Tokens
Access Tokens
Refresh Tokens
- How to enable issuing of a refresh token
- Refresh tokens after being used
ID Tokens
Proof-of-Possession (PoP) Tokens
- Issuing mutual-TLS certificate-bound access tokens
- Using DPoP
Grant Type
Scopes
PKCE (RFC 7636)
- Requiring clients to use PKCE for their authorization requests
- Requiring clients to specify "S256" when using PKCE for their authorization requests
Client Management
Authorization Requests
User Authentication
- Using OAuth 2.0 for User Authentication
Error Handling
Client Authentication
Introspection
- Introspection response for expired access token
- Checking if an access token has particular scopes
- Use cases for two introspection APIs
Userinfo Endpoint
- Access token verification in Userinfo API
JARM
- Enabling JARM
Device Flow (RFC 8628)
- Enabling “device flow”

Introspection response for expired access token

When an resource server makes a request to Authlete's /auth/introspection API, and the request includes an expired access token, Authlete works as follows:

To the first request: Authlete determines the token has been expired and then removes the token from its database.
To the second and subsequent requests: Authlete determines the token doesn't exist. Because the token has been removed at the first request.

In either case, a value of "action" in a response from the API would be "UNAUTHORIZED".

See also:

JavaDoc for Class IntrospectionResponse

How did we do with this article?

Authlete Knowledge Base

Introspection response for expired access token

Free Trial

Looking for something?

<img src="https://assets.timelapsehc.com/uploads/site/logo/313/standard_authlete-logo-image-white-with-transparent-bg-256.png?v=1682481455" alt="Standard authlete logo image white with transparent bg 256" /> Authlete Knowledge Base

Introspection response for expired access token

Free Trial

Looking for something?

Authlete Knowledge Base