/introspect

Inspect token state for a confidential OAuth client.

Endpoint

• Method: POST
• URL: https://sso.user.m7.org/introspect
• Content type: application/x-www-form-urlencoded
• Response: JSON

Who can use it

This endpoint is for confidential clients.

Public clients are not allowed to use the current introspection endpoint.

Currently advertised auth methods:

• client_secret_basic
• client_secret_post
• client_secret_jwt
• private_key_jwt

Request fields

• token required
• token_type_hint optional

Example

curl -sS https://sso.user.m7.org/introspect \
  -u 'CLIENT_ID:CLIENT_SECRET' \
  -d token='TOKEN_TO_INSPECT'

Example response

{
  "active": true,
  "client_id": "CLIENT_ID",
  "sub": "USER_OR_SUBJECT_ID",
  "scope": "openid profile offline_access",
  "exp": 1781426507,
  "iat": 1781425607,
  "nbf": 1781425602,
  "iss": "id.m7.org",
  "typ": "session"
}

The exact fields depend on the token being inspected.

Common errors

• invalid_request
• invalid_client
• unauthorized_client
• insufficient_scope

Notes

• If the request client can be determined and the token clearly belongs to another client, the endpoint rejects the request.
• The current M7 surface keeps policy selection internal; callers do not choose a validation mode.