Validate a Token
Use this API to check the status of a session that was started via either the Authentication or Resource Owner Password Grant flow.
Note that a successful request to this API will return a HTTP 200 - Success but this does not indicate the session is still valid. You need to check the boolean active attribute which is returned in the payload body.
The authentication requirements for this request are dependent on the Token Endpoint Authentication Method that is defined on an OpenId Connect application.
- Basic - Client ID and Client Secret are required in the Authorization header.
- POST - Client ID and Client Secret are required in the request body.
- None (PKCE) - Client ID is required in the request body. Do not include Client Secret.
Resource URL
https://<subdomain>.onelogin.com/oidc/2/token/introspectionHeader Parameter
Authorization string |
Required if Token Endpoint Authentication Method is set to Basic Set to The e.g. Using Node.js this would be |
Content-Type string | application/x-www-form-urlencoded |
Resource Parameter
subdomain required string |
Set to the e.g. |
Request Parameter
token required string |
Set to |
token_type_hint string |
Set to “access_token” |
client_id string |
The OneLogin generated Client ID for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST or none (PKCE). |
client_secret string |
The OneLogin generated Client Secret for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
Sample Request Body
token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_tokenSample Response
- 200 OK
- 400 Bad Request
The session is valid
{
"active": true,
"token_type": "access_token",
"sub": "32916209",
"client_id": "cc0e6bc0-644a-0135-fd0d-02d3582f0df061892",
"exp": 1507952334,
"iat": 1507948734,
"iss": "https://acme.onelogin.com/oidc/2",
"jti": "OTY3MjhlZGMtNmVlMS00N2ZjLTk4OGItM2RhODgyYWExODNk"
}The session has expired or been revoked
{
"active": false
}{
"error": "invalid_request",
"error_description": "missing required parameter(s). (token)"
}Response Elements
active |
Indicates if the current session is valid |
token_type |
The type of token that was validated |
sub |
The OneLogin ID for the user that started the session |
client_id |
The OneLogin generated Client ID for the OpenID Connect app that started the session. |
exp |
A UNIX epoch time representing the expiry date/time of the token |
iat |
A UNIX epoch time representing the issue date/time of the token |
iss |
The issuing authority of the token |
jti |
A unique identifier for the token |
Sample Code
cURL
Replace sample values indicated by < > with your actual values.
curl -XPOST "https://<subdomain>.onelogin.com/oidc/2/token/introspection" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"
Postman Collection
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.