I took a while to understand how to use /v1/introspect to validate tokens coming from a Single Page Application. The documentation is not clear on that.
For application having client_id and client_secret, the doc is clear. We wrap that on Basic Authentication, add token as querystring parameter and create a request.
When getting access token for Single Page Application we don’t have client_secret. We don’t use any authentication method and provide client_id as querystring parameter.
Thanks for your valuable feedback.
The documentation is indeed lacking for calling /introspect endpoint for SPA tokens.
We will update the documentation accordingly.
Update: We have updated the documentation. Please take a look if it looks right. Thanks again.
I came across this post from a year ago, while looking for information on how to use the introspection endpoint for SPA apps. I’m still not seeing any update to the documentation for this. What am I missing?
For public clients (such as single-page and mobile apps) that don’t have a client_secret , you must include the client_id as a query parameter when calling the /introspect endpoint. Make sure that you aren’t passing the Authorization header in the request.
