Validate a Token

Validating Access Tokens

There are two ways to validate an access token depending on the type:

  • A JWT is validated by checking its signature. The tenant certificate is the public key.
  • An opaque token is validated using the /oauth2//introspect/ endpoint and passing the access token or refresh token via the token body parameter:
Authorization: Basic amFtZ...
Content-Type: application/x-www-form-urlencoded


The active field in the response indicates if the token is currently active:


Validating ID Tokens

There are two ways to validate an ID token:

  • Use the /oauth2//introspect/ endpoint to get the token's active status (see example above).
  • Use the /Security/whoami endpoint passing the code as a Bearer in the Authorization header:

Authorization: Bearer eyJhbGci...
Content-Type: application/json

The Result field in the response contains information about the user who was authorized on the tenant using the specified token, which implies that the token is valid.

      "User":"[email protected]",

Try the API in Postman:
Try the API in Postman.
Click here for help with using our sample Postman collection.