Replies: 2 comments 2 replies
-
The introspection endpoint is designed for clients—usually APIs—to verify the validity of an access token, whether opaque or JWT, that they receive. This typically occurs after a user logs in and attempts to access a backend API with the token issued for the logged in user or it could be a token issued to a machine user such as a CLI or a backend system that cannot perform a login via a browser. Before granting access, the API must confirm that the token is still valid and hasn't been revoked, by querying the introspection endpoint. When sending an introspection request, the API (or CLI in this case) must also include a client assertion—a JWT signed with a previously downloaded private key under the JWT profile (not needed if it's not JWT profile)—to prove its registered client status. This ensures only authorized clients can perform token introspection. So, the token you see here has to come from a front end or it could be a token issued to a service or machine user such as a Personal Access Token (PAT) in ZITADEL. You can get more insight on this topic by reading this blog post - https://zitadel.com/blog/api-access-and-introspection#31-jwt-profile |
Beta Was this translation helpful? Give feedback.
-
Yes thank you but...you linked me back to the link I gave you asking what the I am trying to help you guys :) |
Beta Was this translation helpful? Give feedback.
-
In the docs Token Introspection the request params are shown as:
However in your cURL sample below this you show a 'token' body param also:
What is the
token
param and where do I get it or do I need it or want it if optional?Beta Was this translation helpful? Give feedback.
All reactions