OAuth Token Introspection POST

URI

https://{DATACENTER}.brightpearl.com/oauth/token/introspect

Description

Request

This endpoint allows you to get information about an OAuth access token in accordance with the OAuth 2.0 token introspection specification.

At present, this endpoint does not return information about refresh tokens.

As with the OAuth access token resource, this endpoint differs from our standard API endpoints in the following ways:

  1. Input data is x-www-form-urlencoded rather than application/json
  2. Although the response body is in JSON, its keys are underscore-cased instead of camel-cased.

The token to introspect should be supplied in the request body as the form parameter "token".

Additionally, requests to this endpoint are authenticated using the OAuth "client password" mechanism (described in the OAuth 2.0 specification). This means you must supply your apps's client ID (integration reference) and client secret as the username and password using the HTTP Basic authentication scheme. If your app has no client secret (i.e. your client type is 'public') then the password can be omitted.

You must also supply your account code. This can be specified in request body as account_code. Alternatively you can access this endpoint at /{account}/oauth/token/introspect. This is useful if you are using an OAuth client which will not allow custom request parameters.

Response

The response will contain the following properties, which are all JSON strings:

property description
active Whether the token is currently active, i.e. is valid and has not expired
token_type The OAuth 2.0 token type. At present the value for access tokens will always be "Bearer"
exp The time at which this token will expire, expressed as an integer number of seconds since 1 Jan 1970 UTC.

Example 1

Obtain information for a token for account "indosports" using confidential auth integration "an-integration" with secret "AJhTYmqMnjb4b1PNLsL64EF5hCr2fM6a+xSN9ap7wSE="

Request URI

/indosports/oauth/token/introspect [Authorization: Basic YW4taW50ZWdyYXRpb246QUpoVFltcU1uamI0YjFQTkxzTDY0RUY1aENyMmZNNmEreFNOOWFwN3dTRT0=]

Request body

token=sq0QzvQ/yd+93rmRyhJugD79GKVKPB2JCBmOSth18mM=

Response

{
	"active": "true",
	"token_type": "Bearer",
	"exp": "1520245650"
}

Example 2

Obtain information for a token for account "indosports" using public auth integration "an-integration"

Request URI

/oauth/token/introspect [Authorization: Basic YW4taW50ZWdyYXRpb246]

Request body

account_code=indosports&token=sq0QzvQ/yd+93rmRyhJugD79GKVKPB2JCBmOSth18mM=

Response

{
	"active": "true",
	"token_type": "Bearer",
	"exp": "1520245650"
}