Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OpenID Connect Token Introspection

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            OpenID Connect Token Introspection

            As part of the authorization process, token introspection allows all OAuth connected apps to check the current state of an OAuth 2.0 access or refresh token. The resource server or connected apps send the client app’s client ID and secret to the authorization server, initiating an OAuth authorization flow. As part of this flow, the authorization server validates, or introspects, the client app’s access token. If the access token is current and valid, the client app is granted access.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions

            A connected app representing a client app sends a request to the Salesforce token introspection endpoint to validate its access token. The format of the token introspection endpoint URL is https://hostname/services/oauth2/introspect.

            Note
            Note An OAuth client that directly registers OAuth 2.0 connected apps through the dynamic client registration endpoint can check the state of access and refresh tokens for itself and its registered connected apps. In addition, you can authorize a single connected app to introspect all access and refresh tokens throughout the entire org.

            The requesting connected app can provide the client_id and client_secret in the Basic authorization request’s header or request’s body.

            This example shows a request posted to the token introspection endpoint with the client credentials in the Basic authorization header.

            POST /services/oauth2/introspect HTTP/1.1
Host: https://mycompany.my.salesforce.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic M01WRzlsS2NQb05JTlZCSVBKamR3MUo5TExNODJIbkZWVlgxOUtZMQp1QTVtdTBRc
UVXaHFLcG9XM3N2RzNYSHJYRGlDUWpLMW1kZ0F2aENzY0E5R0U6MTk1NTI3OTkyNTY3NTI0MTU3MQ==

token=00DR00000009GVP!ARQAQE5XuPV7J4GoOu3wvLZjZI_TxoBpeZpRb6d8AVdII6cz
_BY_uu1PKxGeAjkSvO0LpWoL_qfbQWKlXoz1f2ICNiy.6Ndr&
token_type_hint=access_token

            This example shows a request posted to the token introspection endpoint with the client credentials in the request’s body.

            POST /services/oauth2/introspect HTTP/1.1
Host: https://mycompany.my.salesforce.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded

token=00DR00000009GVP!ARQAQE5XuPV7J4GoOu3wvLZjZI_TxoBpeZpRb6d8AVdII6cz
_BY_uu1PKxGeAjkSvO0LpWoL_qfbQWKlXoz1f2ICNiy.6Ndr&client_id=3MVG9lKcPoNI
NVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCs
cA9GE&client_secret=1955279925675241571&token_type_hint=access_token
            Note
            Note If the client_id and client_secret are sent in the POST’s body, the authorization header is ignored.

            Include the following parameters in the token introspection request. For information about the token introspection request, refer to section 2.1 Introspection Request in the Internet Engineering Task Force OAuth 2.0 Token Introspection document.

            Parameter Description
            token The string value of the access token or refresh token returned from the token endpoint.
            token_type_hint

            (Optional) A hint about the token type being queried in the request. There are two valid values.

            • access_token
            • refresh_token
            child_sessions

            (Optional) The status of Content, Lightning, or VisualForce child sessions. Because this parameter increases the response length, we recommend that you only use it when you need information about child sessions. For example, use this parameter to identify why a child session fails to load.

            You can only include this parameter for introspection of active access tokens. It doesn’t work with introspection of refresh tokens.

            To include the parameter in your introspection request, enter child_sessions=all. Salesforce responds with a value for each type of child session:

            • active—The child session is active and has a valid access token.
            • inactive—The child session doesn’t have a current access token.
            • missing—A child session can’t be found.

            See Also

             
            Loading
            Salesforce Help | Article