Introspect token
Visibility: public · internal ( OpenAPI Custom Extension: x-visibility )
Determine whether an access token is currently active and return its claims. Inspired by RFC 7662 (OAuth 2.0 Token Introspection) but uses application/json instead of form-encoded requests.
A token is considered active when all of the following are true:
- The token has not expired.
- The token has not been revoked.
- The underlying credential (API key, service account credential) is still active and not disabled.
- The parent principal (user, service account) is still active.
This endpoint is intended for resource servers that need to validate a token beyond signature verification — for example, before executing sensitive operations where even a short-lived token should be checked against the current credential state.
The caller must be authenticated (typically a resource server using its own service account credentials).
Authorization
bearerAuth Bearer token authentication using OAuth2/OIDC tokens
In: header
Request Body
application/json
The access token (JWT) to introspect.
Response Body
application/json
application/json
application/json
application/json
application/json
curl -X POST "https://api.k0rdent.ai/v1/regions/global/auth/introspect" \ -H "Content-Type: application/json" \ -d '{ "token": "string" }'{
"active": true,
"sub": "user-xyz789",
"iss": "https://auth.platform.example.com",
"aud": "string",
"exp": 0,
"iat": 0,
"jti": "string",
"tenant_id": "org-acme",
"scope": "organization",
"scope_id": "proj-abc123",
"roles": [
"viewer",
"member"
],
"principal_type": "user",
"credential_id": "apikey-j2k3l4"
}{
"error": {
"code": 0,
"message": "string",
"details": [
{}
]
}
}{
"error": {
"code": 0,
"message": "string",
"details": [
{}
]
}
}{
"error": {
"code": 0,
"message": "string",
"details": [
{}
]
}
}{
"error": {
"code": 0,
"message": "string",
"details": [
{}
]
}
}How is this guide?