Introspection response for expired access token

When an resource server makes a request to Authlete’s /auth/introspection API, and the request includes an expired access token, Authlete works as follows:

To the first request: Authlete determines the token has been expired and then removes the token from its database.
To the second and subsequent requests: Authlete determines the token doesn’t exist. Because the token has been removed at the first request.

In either case, a value of “action” in a response from the API would be “UNAUTHORIZED”. See also:

JavaDoc for Class IntrospectionResponse

Token revocation policy Access Token Scopes

Client Management

Client Authentication

Scopes & Consent

Authorization Requests

Token Issuance & Formats

Token Lifecycle & Policies

Token Introspection & Validation

Identity Endpoints

Verifiable Credentials

Error Handling & Debugging

Security

Introspection response for expired access token