Skip to main content
POST
/
v1
/
regions
/
global
/
auth
/
introspect
Introspect token
const options = {
  method: 'POST',
  headers: {Authorization: 'Bearer <token>', 'Content-Type': 'application/json'},
  body: JSON.stringify({token: '<string>'})
};

fetch('https://api.k0rdent.ai/v1/regions/global/auth/introspect', options)
  .then(res => res.json())
  .then(res => console.log(res))
  .catch(err => console.error(err));
{
  "active": true,
  "sub": "user-xyz789",
  "iss": "https://auth.platform.example.com",
  "aud": "<string>",
  "exp": 123,
  "iat": 123,
  "jti": "<string>",
  "tenant_id": "org-acme",
  "scope": "organization",
  "scope_id": "proj-abc123",
  "roles": [
    "viewer",
    "member"
  ],
  "principal_type": "user",
  "credential_id": "apikey-j2k3l4"
}

Authorizations

Authorization
string
header
required

Bearer token authentication using OAuth2/OIDC tokens

Body

application/json
token
string
required

The access token (JWT) to introspect.

Response

Introspection result. If the token is active, the full claim set is returned. If inactive, only active: false is returned — no claims are exposed for invalid tokens.

Returned when the token is valid and active. Includes the full decoded claim set per RFC 7662.

active
enum<boolean>
required

Token is active.

Available options:
true
sub
string
required

Subject — the principal identifier. User ID for interactive sessions and API keys, service account clientId for client_credentials.

Example:

"user-xyz789"

iss
string
required

Issuer URL.

Example:

"https://auth.platform.example.com"

aud
string
required

Intended audience.

exp
integer
required

Expiration time (Unix timestamp).

iat
integer
required

Issued-at time (Unix timestamp).

jti
string
required

Unique token identifier.

tenant_id
string
required

Organization/tenant identifier.

Example:

"org-acme"

scope
enum<string>
required

The resource hierarchy level this token is scoped to.

Available options:
organization,
project
scope_id
string
required

Resource identifier for the token's scope boundary.

Example:

"proj-abc123"

roles
string[]
required

Effective roles for this token. For API keys, this is the intersection of the key's roles and the user's current roles. For service accounts, these are the directly assigned roles. May be further narrowed if scope narrowing was applied at mint time.

Example:
["viewer", "member"]
principal_type
enum<string>
required

How the caller authenticated. Allows downstream services to apply principal-type-specific policies.

Available options:
user,
api_key,
service_account
credential_id
string

Identifier of the credential used to mint this token. API key ID for api_key grants, credential ID for client_credentials grants. Null for interactive sessions.

Example:

"apikey-j2k3l4"