See openid-connect Menu

Validate a Token


Use this API to check the status of a session that was started via either the Authentication or Resource Owner Password Grant flow.

Note that a successful request to this API will return a HTTP 200 - Success but this does not indicate the session is still valid. You need to check the boolean active attribute which is returned in the payload body.

The authentication requirements for this request are dependent on the Token Endpoint Authentication Method that is defined on an OpenId Connect application.

  • Basic - Client ID and Client Secret are required in the Authorization header.
  • POST - Client ID and Client Secret are required in the request body.
  • None (PKCE) - Client ID is required in the request body. Do not include Client Secret.
Sending credentials in both Authorization header and payload body will cause an error.


Resource URL

https://<subdomain>.onelogin.com/oidc/2/token/introspection

Header Parameter

Authorization

string

Required if Token Endpoint Authentication Method is set to Basic

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

string

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

string

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

token

required

string

Set to access_token that will be validated

token_type_hint

string

Set to “access_token”

client_id

string

The OneLogin generated Client ID for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST or none (PKCE).

client_secret

string

The OneLogin generated Client Secret for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.

Sample Request Body

token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_token

Sample Response

The session is valid

{
    "active": true,
    "token_type": "access_token",
    "sub": "32916209",
    "client_id": "cc0e6bc0-644a-0135-fd0d-02d3582f0df061892",
    "exp": 1507952334,
    "iat": 1507948734,
    "iss": "https://acme.onelogin.com/oidc/2",
    "jti": "OTY3MjhlZGMtNmVlMS00N2ZjLTk4OGItM2RhODgyYWExODNk"
}

The session has expired or been revoked

{
    "active": false
}
{
    "error": "invalid_request",
    "error_description": "missing required parameter(s). (token)"
}

Response Elements

active Indicates if the current session is valid
token_type The type of token that was validated
sub The OneLogin ID for the user that started the session
client_id The OneLogin generated Client ID for the OpenID Connect app that started the session.
exp A UNIX epoch time representing the expiry date/time of the token
iat A UNIX epoch time representing the issue date/time of the token
iss The issuing authority of the token
jti A unique identifier for the token

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>.onelogin.com/oidc/2/token/introspection" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OpenId Connect API


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.