Hi Oliver, Endpoint is protected by access_token with scope uma_protection. If you can obtain token with that scope than it should perfectly work for you. I've added ticket to make it configurable. https://github.com/GluuFederation/oxAuth/issues/562 Thanks, Yuriy

Hello, thanks for your answer! I authorized the uma_protection scope for the client and tried "manually" (a combination of oxauth-rp and curl) to authenticate by token using the uma_protection scope: it works. But with the apache module mod_auth_openidc it does not work because the only authentication that it can use is by password (basic authentication) but apparently the gluu server does not support it. By the way it works with the MITRE OIDC server using basic authentication (introspection has to be allowed for the client in the server configuration). In the "OAuth 2.0 Token Introspection" RFC both authentication methods are given as examples (cf. https://tools.ietf.org/html/rfc7662#section-2.1). - Is it possible to use basic authentication for token introspection in Gluu? - If not, could it be added as a configurable option? PS: it would be nice if the test tool oxauth-rp had also a pane/module to try token introspection in various contexts. Thanks in advance for your help. if you prefer I can open a new issue for this topic (incompatibility with mod_auth_oidc). Thanks !

> Is it possible to use basic authentication for token introspection in Gluu? Right now it is not possible however ticket to support it is added https://github.com/GluuFederation/oxAuth/issues/566 > If not, could it be added as a configurable option? https://github.com/GluuFederation/oxAuth/issues/562 Thanks, Yuriy

We added this feature to 3.1.4: [https://github.com/GluuFederation/oxAuth/issues/562](https://github.com/GluuFederation/oxAuth/issues/562)