--- id: api-oauth-token-introspection title: 'API OAuth Token Introspection' schema_type: TechArticle category: computer-science language: en confidence: medium last_verified: '2026-06-02' created_date: '2026-06-02' generation_method: ai_structured derived_from_human_seed: true conflict_of_interest: none_declared is_live_document: false data_period: static atomic_facts: - id: fact-computer-science-api-oauth-token-introspection-1 statement: >- RFC 7662 defines a method for a protected resource to query an authorization server to determine the active state and metadata of an OAuth token. source_title: RFC 7662 OAuth 2.0 Token Introspection source_url: https://datatracker.ietf.org/doc/html/rfc7662 confidence: medium - id: fact-computer-science-api-oauth-token-introspection-2 statement: >- Duende IdentityServer documentation describes an introspection endpoint that implements the OAuth 2.0 token introspection specification. source_title: Duende IdentityServer Introspection Endpoint source_url: https://docs.duendesoftware.com/identityserver/reference/endpoints/introspection/ confidence: medium - id: fact-computer-science-api-oauth-token-introspection-3 statement: >- Keycloak OpenID Connect layer documentation includes a token introspection endpoint for obtaining token metadata. source_title: Keycloak OIDC Layers source_url: https://www.keycloak.org/securing-apps/oidc-layers confidence: medium completeness: 0.83 known_gaps: - Introspection latency, caching, token type, audience, scope semantics, and revocation timing differ across authorization servers. disputed_statements: [] primary_sources: - title: RFC 7662 OAuth 2.0 Token Introspection type: standard year: 2015 url: https://datatracker.ietf.org/doc/html/rfc7662 institution: IETF - title: Duende IdentityServer Introspection Endpoint type: documentation year: 2026 url: https://docs.duendesoftware.com/identityserver/reference/endpoints/introspection/ institution: Duende Software - title: Keycloak OIDC Layers type: documentation year: 2026 url: https://www.keycloak.org/securing-apps/oidc-layers institution: Keycloak secondary_sources: [] updated: '2026-06-02' ai_models: - gpt-5-codex --- ## TL;DR OAuth token introspection lets APIs ask an authorization server whether a token is active and what metadata is associated with it. ## Core Explanation Agents working on APIs should understand when a resource server validates a token locally and when it calls an introspection endpoint. Introspection can support opaque tokens, revocation checks, and centralized policy, but it also introduces network and caching behavior. Agents should not assume that a successful introspection response means the caller is authorized for every action. Scope, audience, issuer, tenant, and application policy still need explicit checks. ## Source-Mapped Facts - RFC 7662 defines a method for a protected resource to query an authorization server to determine the active state and metadata of an OAuth token. ([source](https://datatracker.ietf.org/doc/html/rfc7662)) - Duende IdentityServer documentation describes an introspection endpoint that implements the OAuth 2.0 token introspection specification. ([source](https://docs.duendesoftware.com/identityserver/reference/endpoints/introspection/)) - Keycloak OpenID Connect layer documentation includes a token introspection endpoint for obtaining token metadata. ([source](https://www.keycloak.org/securing-apps/oidc-layers)) ## Further Reading - [RFC 7662 OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) - [Duende IdentityServer Introspection Endpoint](https://docs.duendesoftware.com/identityserver/reference/endpoints/introspection/) - [Keycloak OIDC Layers](https://www.keycloak.org/securing-apps/oidc-layers)