Hi @BirdThunderford. You said you passed client id in the body, but take note from the docs:
For public clients (such as single-page and mobile apps) that don’t have a
client_secret , you must include the
client_id as a query parameter when calling the
/introspect endpoint. Make sure that you aren’t passing the Authorization header in the request.
Give that a shot and see if that works for you.
Also - this is a great way to validate tokens and generally the most secure way. It comes at a cost of relying on an external network call, however. Another option is local token validation using a JWT verifier. We have a Python one in development right now, but it’s unfortunately not public yet. Here’s an example of a Node JWT verifier we made: @okta/jwt-verifier - npm
There are definitely reputable open-source Python JWT verifiers out there, but I don’t want to link to any to seem like it’s an official Okta recommendation.
But if the
/introspect flow works for your purposes, that approach would be great.