I took a while to understand how to use /v1/introspect to validate tokens coming from a Single Page Application. The documentation is not clear on that.
For application having client_id and client_secret, the doc is clear. We wrap that on Basic Authentication, add token as querystring parameter and create a request.
When getting access token for Single Page Application we don’t have client_secret. We don’t use any authentication method and provide client_id as querystring parameter.
The documentation is explicit on that https://developer.okta.com/docs/reference/api/oidc/#introspect.