API Management versions 7.5.X and 7.6.X have reached end of support in November 2020.
Check out the latest version of the documentation.

Token information service flow

You can use the token information service to validate that an access token was issued by the API Gateway. A request to the tokenInfo  service is an HTTP GET request for information in a specified OAuth 2.0 access token.

OAuth 2.0 Token Info

The endpoint for the token information service is as follows:


Getting information about a token from the authorization server only requires a GET request to the token info endpoint. For example:

GET /api/oauth/tokeninfo HTTP/1.1

This request includes the following parameter:

Parameter Description


Required. A token that you want information about (for example: 4eclEUX1N6oVIOoZBbaDTI977SV3T9KqJ3ayOvs4gqhGA4)

The following example uses this parameter:


Run the sample client

The following Jython sample client creates a token information request to the authorization server:


To run the sample, open a shell prompt at INSTALL_DIR/samples/scripts, and execute the following command:

> run oauth/token_info.py

This displays the following dialog:

Getting OAuth 2.0 Token Info

When the authorization server receives the token information request, it first ensures the token is in its cache (EhCache or Database), and then ensures the token is valid and has not expired.

The following is an example response:

Get token info for this token:BcYGjPOQSCrtbEc1F0ag8zf6OT9rCaMLiI1dYjFLT5zhxz3x5ScrdN
Response from token info request is:200
**********************TOKEN INFO RESPONSE***********************************
Token audience received from authorization server:SampleConfidentialApp
Scopes user consented to:https://localhost:8090/auth/userinfo.email
Token expiry time:3566
User id :admin

Response codes

The following HTTP status codes are returned:

  • 200 if processing is successful
  • 400 on failure

The response is sent back as a JSON message. For example:

 "audience" :"SampleConfidentialApp",
 "user_id" :"admin",
 "scope" :"https://localhost:8090/auth/userinfo.email",
 "expires_in" :2518

You can get additional information about the access token using message attributes. For more details, see OAuth 2.0 message attributes.

Related Links