Documentation Index
Fetch the complete documentation index at: https://developers.authlete.com/llms.txt
Use this file to discover all available pages before exploring further.
Preface
This article describes Authlete’s two kinds of introspection APIs and their use cases.Introspection APIs provided by Authlete
Authlete provides two APIs to fulfill token introspection./auth/introspection API
/auth/introspection API is a proprietary API of Authlete. It is designed to be used by implementation of protected resource endpoint (e.g. Web API) in a resource server (RS). The API can accept request parameters including an access token and other values expected to be bound to the token such as a scope, a subject, a client certificate, and a DPoP Proof JWT to allow the RS to offload verification of the binding, to Authlete. Thus implementation of the RS would be simplified./auth/introspection/standard API
/auth/introspection/standard API is designed to be used by implementation of an RFC 7662 compliant introspection endpoint in an authorization server (AS). Upon receiving an introspection request from the RS, the AS forwards the request parameters to Authlete. Authlete processes the request in accordance with RFC 7662, generates the introspection response content, and returns it to the AS.Choosing an introspection API based on architecture
The choice between the two types of introspection APIs depends on the desired level of coupling between the AS, RS, and Authlete. Common use cases and the most suitable APIs for each are outlined below.RS to talk directly to Authlete
If the RS is able to possess an Authlete service access token, the simplest approach is for the RS to call Authlete’s /auth/introspection API directly. As of Authlete version 3.0.31 or later, the Custom Service Token feature allows you to restrict the service access token’s permissions solely to introspection.
API gateway to accept all incoming API requests from clients
If an API gateway handles both AS endpoints (such as the token endpoint) and RS API endpoints, it will inherently possess an Authlete service access token. Consequently, as with the previous case, using the /auth/introspection API provides the simplest architecture.
Exposing RFC 7662 introspection API for the RS
If you want to avoid direct communication between the RS and Authlete, or completely decouple the AS and RS, it is recommended that the AS expose an RFC 7662-compliant introspection API to the RS and call Authlete’s /auth/introspection/standard API to process the request.