Token information service flow

Use the token information service to validate that an access token was issued by the API Gateway.

2 minute read

The OAuth token information service responds to requests for information on a specified OAuth 2.0 access token. A request to the tokenInfo service is an HTTP POST request for information in a specified OAuth 2.0 access token.

OAuth 2.0 Token Info

The endpoint for the token information service is as follows:


Getting information about a token from the authorization server only requires a POST request to the token info endpoint. For example:

POST /api/oauth/tokeninfo HTTP/1.1

This request includes the following parameter:

Parameter Description
access_token Required. A token that you want information about (for example:4eclEUX1N6oVIOoZBbaDTI977SV3T9KqJ3ayOvs4gqhGA4).

Run the sample client

The following Jython sample client creates a token information request to the authorization server:


To run the sample, open a shell prompt at INSTALL_DIR/samples/scripts, and execute the following command:

run oauth/

This displays the following dialog:

Getting OAuth 2.0 Token Info

When the authorization server receives the token information request, it first ensures the token is in its cache (EhCache or Database), and then ensures the token is valid and has not expired.

The following is an example response:

Get token info for this token:BcYGjPOQSCrtbEc1F0ag8zf6OT9rCaMLiI1dYjFLT5zhxz3x5ScrdN
Response from token info request is:200
**********************TOKEN INFO RESPONSE***********************************
Token audience received from authorization server:SampleConfidentialApp
Scopes user consented to:https://localhost:8090/auth/
Token expiry time:3566
User id :admin

Response codes

The following HTTP status codes are returned:

  • 200 if processing is successful
  • 400 on failure

The response is sent back as a JSON message. For example:

     "audience" :"SampleConfidentialApp",
     "user_id" :"admin",
     "scope" :"https://localhost:8090/auth/",
     "expires_in" :2518

You can get additional information about the access token using message attributes. For more details, see OAuth 2.0 server message attributes.