The introspection endpoint... See [https://gluu.org/docs/api/uma-rpt-status/](https://gluu.org/docs/api/uma-rpt-status) Although I just noticed the response docs are not being rendered. I just opened a bug on that: [https://github.com/GluuFederation/oxAuth/issues/391](https://github.com/GluuFederation/oxAuth/issues/391)

I've seen this document, thanks. Is that endpoint in the document correct? "/rpt/status" For instance would I post to /my_Gluu_server_host/**rpt/status** ? I see the endpoint called "introspection" and thought would be the one to use. The only issue is I get an access error. So that's why I'm wondering if only certain types of oauth2 authorizations are accepted.

Documentation is updated (it may take some time to be live). Sample response of RPT introspection endpoint is: ``` HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store { "active": true, "exp": 1256953732, "iat": 1256912345, "permissions": [ { "resource_set_id": "112210f47de98100", "scopes": [ "view", "http://photoz.example.com/dev/actions/print" ], "exp" : 1256953732 } ] } ``` The best way to know exact endpoint path is to call UMA discovery, usually `https://<gluu server>/.well-known/uma-configuration` In response of discovery request one of the json keys is: ``` "introspection_endpoint" : "https://<gluu server>/oxauth/seam/resource/restv1/rpt/status", ``` About authorization, Gluu Server sticks to UMA 1.0.1 and requires token to have `uma_protection` scope. Make sure that during token creation you requested scope=uma_protection. Here is sample of token creation in Java: `https://github.com/GluuFederation/oxAuth/blob/master/Client/src/main/java/org/xdi/oxauth/client/uma/wrapper/UmaClient.java#L72-72` Full UMA Flow test `https://github.com/GluuFederation/oxAuth/blob/master/Client/src/test/java/org/xdi/oxauth/ws/rs/uma/AccessProtectedResourceFlowHttpTest.java`

Thanks Yuriy, It looks like this is for UMA token introspection. Does this mean I have to use the complete UMA flow? I was hoping to just do simple access token introspection using the RFC7662 flow without extra UMA message flow. My server just needs to validate that the (OpenId connect) access token is active and validate the scopes that the user has. Paul

I have one other quick question. On my Gluu server there are a couple of other endpoints that seem to be related to access token validation. What are these endpoints for? "validate_token_endpoint":"https://my_gluu_server/oxauth/seam/resource/restv1/oxauth/validate" "introspection_endpoint":"https://my_gluu_server/oxauth/seam/resource/restv1/introspection"

Ok, those are two different introspection. 1. access_token introspection, usually located here: ``` "introspection_endpoint": "https://ce-dev2.gluu.org/oxauth/seam/resource/restv1/introspection", ``` This endpoint is protected by access_token. See `https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/xdi/oxauth/introspection/ws/rs/IntrospectionWebService.java#L73-73` 2. UMA Introspection endpoint. If your goal is just to introspect access_token then you don't need RPT introspection of course.

Thanks, this is very helpful.

Should we close this ticket or there is anything open regarding access_token introspection?

Yes, the access token introspection endpoint is working for me. thanks

Great, closing it.