Services wanting to know info about aa token is still usable (is it still valid, who is the owner), such as resource servers. Ideally used in tandem with the client credentials grant.
plugin :rodauth do
enable :oauth_token_introspection #, oauth_client_credentials_grant
end
This endpoint requires client authorization. Any of the supported auth methods for the token endpoint can be used, as well as token verification (if the resource server issued an access token using the client credentials grant).
The introspection endpoint expects the following parameters:
token_type_hint: can be “access_token” or “refresh_token”;token: the access or refresh token to introspect;