Token Introspection

Validates a Bearer token and returns its claims, as specified by RFC 7662. Resource Servers call this endpoint on each incoming request to verify token validity.

Authentication required: the Resource Server must authenticate as a confidential OAuth client using HTTP Basic auth or body params.

Caching recommendation: cache active: true responses for at most 60 seconds per token. Never cache active: false responses.

Authorization

BasicAuth

Request Body

application/x-www-form-urlencoded

TypeScript Definitions

Use the request body type in TypeScript.

token*string

The Bearer token to validate.

token_type_hint?string

Optional hint to speed up internal lookup.

Value in"access_token" | "refresh_token"

client_id?string

Resource Server client_id (alternative to HTTP Basic auth).

client_secret?string

Resource Server client_secret (alternative to HTTP Basic auth).

Response Body

`application/json`

curl -X POST "https://api.whatalo.com/oauth/introspect" \  -H "Content-Type: application/x-www-form-urlencoded" \  -d 'token=DlcGJFC7UmSx2fYKj7Bg3jhT9QgpyIzNcx7OGAoFu8U'

{
  "active": true,
  "scope": "read:products read:orders",
  "client_id": "abc123def456ghi789jkl012",
  "sub": "usr_7f3a9b2c1d4e5f6a",
  "exp": 1777719020,
  "iat": 1777715420,
  "token_type": "Bearer",
  "aud": "https://api.whatalo.com",
  "iss": "https://app.whatalo.com",
  "whatalo_store_id": "str_8k2m4n6p"
}

{
  "error": "invalid_client",
  "error_description": "Client authentication failed"
}

Authorization

Request Body

Response Body

200application/json

401application/json

`application/json`

`application/json`