Introspection response for expired access token

When an resource server makes a request to Authlete’s /auth/introspection API, and the request includes an expired access token, Authlete works as follows:

• To the first request: Authlete determines the token has been expired and then removes the token from its database.
• To the second and subsequent requests: Authlete determines the token doesn’t exist. Because the token has been removed at the first request.

In either case, a value of “action” in a response from the API would be “UNAUTHORIZED”.

See also:

• JavaDoc for Class IntrospectionResponse