Validate tokens via /introspect vs /keys

Hi there. /introspect will always be the most secure method of token validation as it will be able to tell you if a token is still active. While caching keys to check token signatures will validate that a token is signed by the issuer, it will not catch whether a token has been revoked since being issued. As you mentioned, you will gain better performance and reduce network calls, but the tradeoff is potentially missing token revocation. However if you make your access tokens short-lived you can mitigate this issue with local validation.

EDIT: More info can be found here:

https://developer.okta.com/docs/guides/validate-access-tokens/overview/

3 Likes