IntrospectOAuth2TokenWithIAM
Inspects the metadata and active state of an OAuth 2.0 access token or refresh token.
Implements RFC 7662 (OAuth 2.0 Token Introspection) over a SigV4-authenticated endpoint. Returns the claims associated with a token issued by AWS Sign-In. It inspects the metadata of a token issued by AWS Sign-In and returns the claims associated with it.
When the supplied token is unknown, expired, revoked, malformed, or owned by a different account,
the response contains only {"active": false} with all other claims omitted.
Request Syntax
POST /v1/introspect?x-amz-client-auth-method=iam HTTP/1.1
Content-type: application/json
{
"token": "string",
"token_type_hint": "string"
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- token
The string value of the token to introspect. Can be an access token or a refresh token issued by AWS Sign-In.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 4096.
Pattern:
ASO[AR][A-Za-z0-9+/=_\-]+Required: Yes
- token_type_hint
An optional hint about the type of the token submitted for introspection per RFC 7662. The server checks both token types regardless of the hint provided. Allowed values:
access_token,refresh_token.Type: String
Pattern:
(access_token|refresh_token)Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"account_id": "string",
"active": boolean,
"aud": "string",
"client_id": "string",
"exp": number,
"iat": number,
"iss": "string",
"jti": "string",
"nbf": number,
"resource": "string",
"signin_session": "string",
"sub": "string",
"token_type": "string",
"user_id": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- account_id
12-digit AWS account ID of the token's subject principal.
Type: String
Pattern:
[0-9]{12}- active
Indicates whether the token is currently active. Returns
trueonly when the token is valid, has not expired, has not been revoked, and belongs to the caller's account.Type: Boolean
- aud
Audience of the token: the OAuth resource the token is scoped to. Omitted for refresh tokens.
Type: String
- client_id
Client identifier for the OAuth 2.0 client that requested the token.
Type: String
- exp
Token expiration time as a NumericDate (Unix epoch seconds).
Type: Long
- iat
Token issuance time as a NumericDate (Unix epoch seconds).
Type: Long
- iss
Issuer of the token. Always
signin.amazonaws.com.rproxy.govskope.cafor AWS Sign-In.Type: String
- jti
Unique identifier for the token.
Type: String
- nbf
Token "not before" time as a NumericDate (Unix epoch seconds).
Type: Long
- resource
The OAuth resource the token is scoped to. Only present for refresh token introspection.
Type: String
- signin_session
AWS Sign-In session ARN bound to the token, of the form
arn:aws:signin:{region}:{account}:session/{uuid}.Type: String
- sub
Subject of the token: the IAM principal Amazon Resource Name (ARN). For assumed-role sessions, this is the session ARN.
Type: String
- token_type
Indicates which kind of token was introspected. One of
access_tokenorrefresh_token.Type: String
Pattern:
(access_token|refresh_token)- user_id
User identifier matching the
UserIdfield fromsts:GetCallerIdentityfor the token's subject principal.Type: String
Errors
For information about the errors that are common to all actions, see Common Error Types.
- AccessDeniedException
You do not have sufficient access to perform this action.
HTTP Status Code: 400
- InternalServerException
The request processing has failed because of an unknown error, exception or failure with an internal server.
HTTP Status Code: 500
- TooManyRequestsError
Indicates that the principal has exceeded the limit of requests to this API operation.
HTTP Status Code: 429
- ValidationException
The request failed because it contains a syntax error.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: