OAuth Token Introspection
OAuth Token Introspection lets a protected resource ask the authorization server whether a presented token is active and what authorization metadata it carries before an agent tool request is served.
Definition
OAuth Token Introspection is the Standards Track extension defined in RFC 7662, OAuth 2.0 Token Introspection, by Justin Richer. RFC 7662 was published in October 2015. It defines a method for a protected resource to query an OAuth 2.0 authorization server and learn whether a token is active and what metadata is associated with it.
The core problem is that OAuth tokens may be opaque to the resource server. A tool server can receive a string that looks like a bearer token without knowing whether it has expired, been revoked, was issued to a particular client, carries a relevant scope, or has the right audience. Introspection gives the resource server a standard back-channel question: what does this token mean now?
The answer is evidence, not the whole authorization decision. active: true means the authorization server currently treats the token as usable in the returned context. The protected resource still has to verify issuer, audience, scope, expiration, sender constraint, tenant, client, subject, local policy, and any agent-specific approval rule before serving the request.
For AI agents, that question matters because tool calls often cross service boundaries quickly. A browser assistant, coding agent, or hosted workflow may present tokens to many tool servers. Each protected resource needs a way to make its own authorization decision rather than assuming that possession of a token is enough.
Snapshot
- Standard: RFC 7662, published by the IETF in October 2015 as an OAuth 2.0 token-status and metadata extension.
- Primary actor: a protected resource, such as an API or tool server, querying the authorization server through a protected back-channel endpoint.
- Core response:
active, a Boolean value indicating whether the authorization server currently regards the token as active. - Common metadata: scope, client, subject, audience, issuer, token type, expiration, issued-at time, not-before time, username, and token identifier where the authorization server chooses to disclose them.
- Best use: opaque or reference-token deployments, revocable agent connectors, gateway enforcement, and resource servers that need current authorization state rather than only local token parsing.
- Decision rule: an active token is necessary evidence for access, but it is not a substitute for resource-server policy, sender-constraint verification, or human approval gates.
- Boundary: introspection verifies token state and metadata; it does not prove user intent, agent safety, prompt integrity, or consent for a particular high-impact action.
How It Works
The protected resource sends an HTTP POST request to the introspection endpoint. The request includes a required token parameter and may include token_type_hint, such as access_token or refresh_token, to help the authorization server locate the token. RFC 7662 requires the introspection endpoint to be protected by transport-layer security and to require authorization, so random callers cannot scan tokens.
The response is a JSON object. Its required member is active, a Boolean value saying whether the token is currently active according to the authorization server. Optional response members include scope, client_id, username, token_type, exp, iat, nbf, sub, aud, iss, and jti. Implementations can add service-specific response fields, and cross-domain response names can be registered.
RFC 7662 allows the authorization server to answer differently depending on which protected resource is asking. A well-run deployment should therefore treat introspection as a resource-scoped exchange: the endpoint authenticates the caller, decides what that caller is entitled to learn, and returns only the metadata needed for that resource server's policy decision.
If the token is inactive, missing, unknown to the server, or not introspectable by that protected resource, RFC 7662 says the authorization server returns {"active": false} and should not reveal extra details about why. The response can be cached by the protected resource, but caching trades performance for freshness.
Introspection is different from local JWT validation. A resource server that validates a self-contained token locally may avoid a network call, but it may not see revocation, policy changes, or downscoping until the token expires. A resource server that introspects receives current authorization-server state, but it depends on endpoint availability, authentication, latency, cache policy, and careful logging.
Boundary Tests
Not local token validation. A resource server can validate a JWT access token locally by checking its signature, issuer, audience, expiration, and profile. Introspection is a back-channel query to the authorization server. Some deployments use both: local checks for speed, introspection for revocation, reference tokens, or high-risk actions.
Not token revocation. OAuth Token Revocation is the act of asking the authorization server to invalidate a token or grant. Introspection checks current state after issuance. A revocation event should change later introspection results, but the two endpoints answer different questions.
Not token exchange. OAuth Token Exchange mints a new token from an existing token or assertion. Introspection does not delegate, impersonate, downscope, or bridge trust domains by itself; it reports metadata about the token being presented.
Not a consent record. An active token says the authorization server currently regards the token as usable in some context. It does not prove the user understood a particular agent action, that the requested tool call is proportionate, or that the resource server should skip local policy.
Not sender constraint by itself. DPoP and mutual TLS can bind token use to a key or certificate. Introspection can help a resource server learn confirmation material or token metadata in some deployments, but the server still has to verify the proof on the actual request.
Discovery and Response Security
RFC 7662 deliberately leaves introspection endpoint discovery out of scope. In modern deployments, OAuth Authorization Server Metadata under RFC 8414 can advertise introspection_endpoint, introspection_endpoint_auth_methods_supported, and supported signing algorithms for JWT-based client authentication at the introspection endpoint. That discovery record should be pinned to the expected issuer and reviewed like other authorization-server metadata.
OAuth Protected Resource Metadata under RFC 9728 complements that chain from the resource side. It can tell a client which authorization servers are associated with a protected resource, but the introspection endpoint itself comes from authorization-server metadata or local configuration. Agent clients should not let tool text, model output, or an unvalidated discovery redirect choose the introspection endpoint.
RFC 9701 adds a JWT-secured introspection-response option for cases where a resource server needs stronger assurance about who issued the response, who the response is for, or where liability and cross-boundary trust matter. A resource server requests that format with Accept: application/token-introspection+jwt. The response JWT carries top-level iss, aud, iat, and a token_introspection object containing the RFC 7662 response members.
The JWT response is not a new access token. RFC 9701 warns against treating the introspection response JWT as if it were the introspected access token. Resource servers should validate the signature, type, issuer, audience, timestamp, nesting or encryption if used, and the encapsulated active result before using the response in a policy decision.
Current Context
As of June 25, 2026, RFC 7662 remains the core IETF standard for OAuth 2.0 token introspection. RFC 8414 authorization server metadata can advertise an introspection endpoint and supported introspection-endpoint authentication methods, and RFC 9701 adds a JWT-secured response option for deployments that need signed or encrypted introspection responses.
OAuth security practice has also moved toward tighter resource boundaries. RFC 9700 says access tokens should be audience-restricted to a specific resource server or small set of resource servers, and resource servers must verify whether each received token was meant for them. Introspection is one way to get the metadata needed for that check, especially with opaque tokens.
OAuth 2.1 is still an Internet-Draft on this review date. The March 2026 draft consolidates OAuth 2.0 with later security updates, but production documentation should still cite the applicable RFCs directly. The June 2026 OAuth security-topics update draft is also relevant current context: it describes newer threats such as audience-injection attacks and related multi-authorization-server risks, but it remains a draft rather than a replacement for RFC 9700.
Agent and MCP deployments make these older OAuth controls newly important. MCP's 2025-11-25 authorization specification requires protected-resource metadata for authorization server discovery, and its security guidance warns against token passthrough. Token introspection is not itself an MCP mandate, but it is part of the adjacent OAuth toolkit for resource servers that need current, issuer-backed token state before serving a tool request.
Agent Context
Agent tool systems often prefer opaque or reference tokens because revocation, downscoping, and policy updates can happen at the authorization server without forcing every tool server to understand every token format. Introspection lets a tool server check the current authorization state at request time.
This is especially useful for gateway patterns. A resource server can ask whether the presented token is active, which client requested it, which subject or resource owner it represents, which scope is effective, and whether the audience fits the protected resource. The answer can be narrower than the original grant: RFC 7662 allows the authorization server to return different information to different protected resources.
For AI Agent Identity, introspection helps keep the agent, delegated user, client, scope, and resource boundary visible at the moment of tool use. It is strongest when paired with OAuth Resource Indicators, OAuth Protected Resource Metadata, scoped credentials, and audit trails.
For agent platforms, the control also reduces identity ambiguity. If a hosted agent brokers access to several MCP servers, repository APIs, or internal tools, the resource server can record whether the token was issued to the expected client and for the expected resource instead of trusting that the agent host routed it correctly.
Introspection is not a judgment about the agent's reasoning. If prompt injection persuades a legitimate agent to call a tool, an active token may still be active. The control answers whether this token should be honored by this resource server now. It does not answer whether the requested task is wise, honest, or proportionate.
Governance and Safety
RFC 9700 says access tokens should be audience-restricted to a specific resource server, or a small set of resource servers when that is not feasible, and that resource servers must refuse tokens meant for another audience. Introspection responses can carry the aud value and other metadata a resource server needs to enforce that boundary.
In January 2025, RFC 9701 standardized a JWT response option for token introspection. That extension exists for cases where the resource server needs stronger assurance that the authorization server issued the introspection response and may need signed or encrypted response data.
The privacy boundary is as important as the cryptographic boundary. Introspection responses can expose subject identifiers, usernames, scopes, client identifiers, token identifiers, and identity claims. RFC 9701 says the authorization server must be able to identify, authenticate, and authorize resource servers and determine what data each resource server is entitled to receive. A safer design returns only the fields needed for that resource server's decision.
Audit trails should preserve the token fingerprint or opaque reference, introspection endpoint, resource server identity, active result, returned subject, client identifier, audience, scope, expiration, cache status, policy decision, and final tool action. Logs should avoid storing full bearer tokens because possession of the token may itself be sensitive authority.
The introspection endpoint is a sensitive control-plane API. It should be rate-limited and monitored for token-scanning behavior, protected with separate resource-server credentials where appropriate, and governed by Data Minimization rules for both responses and logs.
Governance should treat introspection as part of the same control plane as OAuth Security Best Current Practice, AI Agent Sandboxing, AI Agent Observability, AI Audit Trails, and Human Oversight of AI Systems. An active token can still be too broad for the requested task, stale in a cache, or attached to an agent run that should require human approval.
Minimum Introspection Record
A serious agent connector or resource server should leave enough introspection evidence for security review without leaking token material.
- System identity: resource server, authorization server, issuer, metadata source, client ID, agent or connector, tenant, and link to the AI System Inventory.
- Request context: token type hint, tool or API requested, run identifier, delegated user or organization where appropriate, resource indicator or audience expectation, and whether the action was read, write, destructive, external-send, or high-impact.
- Response metadata:
active, subject, scope, audience, issuer, client, expiration, issued-at time, not-before time, token identifier if disclosed, JWT-response validation status if RFC 9701 is used, and any local authorization fields used for policy. - Policy decision: allow, deny, require step-up, require human approval, downscope, or quarantine, plus the rule that made that decision.
- Cache and freshness: cache hit or miss, cache time-to-live, response timestamp, revocation sensitivity, and fallback behavior if the introspection endpoint is unavailable.
- Audit safety: token fingerprint or reference only, response-field minimization, redaction status, log retention class, incident link if misuse is suspected, and access controls on the introspection logs.
Failure Modes
Possession-only authorization. The resource server treats any bearer token string as enough evidence and never checks active state, audience, scope, issuer, or client.
Overbroad disclosure. The authorization server returns more token metadata than the protected resource needs, exposing user or client information unnecessarily.
Stale allow. A cached active response survives revocation, downscoping, account suspension, incident response, or a user decision to withdraw access.
Fail-open behavior. The resource server allows access when the introspection endpoint is unreachable, slow, or returns an error.
Audience confusion. The resource server sees active: true but fails to verify whether the token was actually issued for that protected resource.
Metadata confusion. The resource server discovers or accepts an introspection endpoint without binding it to the expected issuer, tenant, authorization server metadata, or protected-resource metadata.
JWT response substitution. A JWT introspection response is accepted as an access token, or it is used without checking type, signature, issuer, audience, and the nested token_introspection object.
Endpoint scanning. The authorization server exposes a weakly authenticated or unthrottled introspection endpoint, giving attackers a way to test token guesses or learn token status indirectly.
Authorization outsourcing. The resource server treats active: true as a complete local allow decision and skips tool policy, step-up rules, sender-constraint checks, human approval, or account-risk controls.
Secret-bearing logs. Introspection improves traceability but stores full bearer tokens or excessive response details in ordinary application logs.
Defense Pattern
- Authenticate the resource server. The introspection endpoint must know which protected resource is asking and what it is allowed to learn.
- Treat inactive as deny. A response of
active: false, an unreachable endpoint, or an unauthorized introspection call should not become a silent allow. - Validate returned metadata. Check audience, issuer, expiration, scope, client, subject, and any local policy fields before serving the tool request.
- Bind discovery to issuer. Use trusted authorization-server metadata and reject introspection endpoints or response issuers that do not match the configured authorization boundary.
- Keep endpoint selection out of prompts. Use protected-resource metadata, authorization-server metadata, and enterprise configuration; do not let model-visible text supply the endpoint to call.
- Cache narrowly. Keep cache lifetimes short for high-risk tools, revocable grants, and agent workflows where policy changes quickly.
- Protect token material. Log fingerprints or references, not full bearer tokens, and keep introspection traffic off untrusted channels.
- Use signed responses when needed. Consider RFC 9701 where downstream assurance, liability, or cross-boundary trust requires a JWT introspection response, and validate it as a response artifact rather than an access token.
- Minimize response fields. Return only the subject, scope, audience, and authorization metadata that the calling resource server is entitled to receive.
- Separate authorization from approval. An active token may authorize a tool call, but high-impact agent actions may still require human oversight or step-up controls.
- Test revocation and downtime. Red-team revoked tokens, wrong-audience tokens, stale caches, endpoint outages, and prompt-injected tool calls that present otherwise valid tokens.
Source Discipline
Claims about OAuth Token Introspection should identify the introspection endpoint, discovery source, resource server, token type, active result, response fields used for policy, cache behavior, and whether the response was plain JSON or an RFC 9701 JWT response. Do not collapse introspection into OAuth Token Exchange, token revocation, local JWT validation, OAuth Resource Indicators, or a legal conclusion that a user consented.
Use exact source labels. RFC 7662 defines the introspection request and response. RFC 9701 defines a JWT-secured response option. RFC 9700 supplies current OAuth security guidance, including audience restriction. RFC 8414 can advertise introspection endpoint metadata. RFC 9728 helps clients discover protected-resource metadata. These sources fit together, but none is a substitute for the others.
For implementation claims, preserve dates, token class, endpoint metadata, resource-server identity, authentication method, sender-constraint method if any, cache policy, privacy filter, and test result. "We introspect tokens" is not enough evidence unless the record shows which fields are checked and how failure is handled.
Spiralist Reading
Spiralism reads token introspection as a refusal to let authority be judged only by appearance. A string arrives at a tool server, and the server asks the institution that issued it whether the string is still alive.
That answer is not wisdom. It is an administrative pulse. Serious systems still ask what the agent is doing, who authorized it, which resource is named, and why the action should proceed.
Open Questions
- Which agent tools should require live introspection rather than local JWT validation?
- How short should introspection caches be for destructive or high-value tool actions?
- What minimum fields should a resource server receive without leaking unnecessary user or client information?
- When should signed JWT introspection responses be mandatory for cross-organization agent workflows?
Related Pages
- AI Agent Identity
- AI System Inventory
- Capability-Based Security
- Confused Deputy Problem
- OAuth Security Best Current Practice
- OAuth Authorization Server Metadata
- OAuth Resource Indicators
- OAuth Protected Resource Metadata
- OAuth Bearer Token Usage
- OAuth JWT Access Token Profile
- JSON Web Tokens
- OAuth Token Exchange
- OAuth Token Revocation
- OAuth Mutual TLS
- OAuth DPoP
- Rich Authorization Requests
- Pushed Authorization Requests
- JWT-Secured Authorization Requests
- OAuth Client ID Metadata Documents
- OAuth Attestation-Based Client Authentication
- Sender-Constrained Tokens
- Model Context Protocol
- AI Agent Sandboxing
- AI Agent Observability
- AI Audit Trails
- Data Minimization
- Human Oversight of AI Systems
- AI Incident Reporting
- Prompt Injection
- Secure AI System Development
- Agent Tool Permission Protocol
Sources
- J. Richer, IETF, RFC 7662: OAuth 2.0 Token Introspection, October 2015; reviewed June 25, 2026.
- D. Hardt, IETF, RFC 6749: The OAuth 2.0 Authorization Framework, October 2012; reviewed June 25, 2026.
- T. Lodderstedt, S. Dronia, and M. Scurtescu, IETF, RFC 7009: OAuth 2.0 Token Revocation, August 2013; reviewed June 25, 2026.
- M. B. Jones, N. Sakimura, and J. Bradley, IETF, RFC 8414: OAuth 2.0 Authorization Server Metadata, June 2018; reviewed June 25, 2026.
- B. Campbell, J. Bradley, H. Tschofenig, and T. Lodderstedt, IETF, RFC 8707: Resource Indicators for OAuth 2.0, February 2020; reviewed June 25, 2026.
- B. Campbell, J. Bradley, N. Sakimura, and T. Lodderstedt, IETF, RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens, February 2020; reviewed June 25, 2026.
- D. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. B. Jones, and D. Waite, IETF, RFC 9449: OAuth 2.0 Demonstrating Proof of Possession, September 2023; reviewed June 25, 2026.
- T. Lodderstedt, J. Bradley, A. Labunets, and D. Fett, IETF, RFC 9700: Best Current Practice for OAuth 2.0 Security, BCP 240, January 2025; reviewed June 25, 2026.
- T. Lodderstedt and V. Dzhuvinov, IETF, RFC 9701: JSON Web Token (JWT) Response for OAuth Token Introspection, January 2025; reviewed June 25, 2026.
- M. B. Jones, P. Hunt, and A. Parecki, IETF, RFC 9728: OAuth 2.0 Protected Resource Metadata, April 2025; reviewed June 25, 2026.
- IETF OAuth Working Group, draft-ietf-oauth-v2-1-15: The OAuth 2.1 Authorization Framework, Internet-Draft, March 2026; reviewed June 25, 2026.
- IETF OAuth Working Group, draft-ietf-oauth-security-topics-update-02: Updates to OAuth 2.0 Security Best Current Practice, Internet-Draft, June 2026; reviewed June 25, 2026.
- Model Context Protocol, Authorization specification, version 2025-11-25; reviewed June 25, 2026.
- Model Context Protocol, Security Best Practices, reviewed June 25, 2026.