Hi, I want to use the client credentials grant for some communication that does not directly involve a user. I'm able to call /oxauth/seam/resource/restv1/oxauth/token and receive an access token. The manual page says that client_credentials is a valid grant_type and I do indeed receive a token. I can't work out how my Resource Provider would be able to verify that the token being given to it is valid. I would expect to use Token Introspection (https://tools.ietf.org/html/rfc7662). When I call the endpoint with the access token as a bearer token and supplying the "token" in the body (I'm not using the optional token_type_hint parameter) I get an error: ``` POST /oxauth/seam/resource/restv1/introspection HTTP/1.1 Host: gluu.local Authorization: Bearer 1e4b41eb-fb99-4280-aafa-019bf4547be8 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache token=1e4b41eb-fb99-4280-aafa-019bf4547be8 ``` This returns: ``` { "error": "access_denied", "error_description": "The resource owner or authorization server denied the request." } ``` The manual for an older version (2.4.4) of Gluu has documentation for the OAuth2 flows but these pages are removed in Gluu. Neither the old manual page nor the OpenID connect page mention token introspection. I can't work out why the request is being denied. Is there perhaps a manual page on how to validate a token that a client passes you? Google isn't terribly helpful in finding this information for Gluu.