Validate tokens via /introspect vs /keys

Hi, We are using /introspect to validate tokens in our application. We wanted to explore the option of /keys in order to reduce network calls and enhance performance. Wanted to understand if there are any drawbacks or security considerations we need to evaluate in the approach.

Hi there. /introspect will always be the most secure method of token validation as it will be able to tell you if a token is still active. While caching keys to check token signatures will validate that a token is signed by the issuer, it will not catch whether a token has been revoked since being issued. As you mentioned, you will gain better performance and reduce network calls, but the tradeoff is potentially missing token revocation. However if you make your access tokens short-lived you can mitigate this issue with local validation.

EDIT: More info can be found here:

https://developer.okta.com/docs/guides/validate-access-tokens/overview/

3 Likes