Validate a Token

Validating Access Tokens

There are two ways to validate an access token depending on the type:

  • A JWT is validated by checking its signature. The tenant certificate is the public key.
  • An opaque token is validated using the /oauth2//introspect/ endpoint and passing the access token or refresh token via the token body parameter:
POST https://tenant.my.centrify.net/oauth2/introspect/jamestest1234 HTTP/1.1
Authorization: Basic amFtZ...
Content-Type: application/x-www-form-urlencoded

token=eyJhbGci...

The active field in the response indicates if the token is currently active:

{
  "active":false
}

Validating ID Tokens

There are two ways to validate an ID token:

  • Use the /oauth2//introspect/ endpoint to get the token's active status (see example above).
  • Use the /Security/whoami endpoint passing the code as a Bearer in the Authorization header:
POST https://tenant.my.centrify.net/security/whoami

Authorization: Bearer eyJhbGci...
Content-Type: application/json

The Result field in the response contains information about the user who was authorized on the tenant using the specified token, which implies that the token is valid.

{  
   "success":true,
   "Result":{  
      "TenantId":"mytenant",
      "User":"[email protected]",
      "UserUuid":"c2c7..."
   },
   "Message":null,
   "MessageID":null,
   "Exception":null,
   "ErrorID":null,
   "ErrorCode":null,
   "InnerExceptions":null
}

Try the API in Postman:
Try the API in Postman.
Click here for help with using our sample Postman collection.