Can't get access to introspect


Hi, I’m desperately trying to get access to the /oauth2/introspect api. I’m currently using postman and created a client for this:
“id”: “tills-postman”,
“client_name”: “Tills Postman”,
“redirect_uris”: [
“grant_types”: [
“response_types”: [
“scope”: “hydra.consent hydra.clients hydra.policies hydra.*”,
“owner”: “”,
“policy_uri”: “”,
“tos_uri”: “”,
“client_uri”: “”,
“logo_uri”: “”,
“contacts”: null,
“public”: false

So I created this policy to get instrospection to work:
“id”: “accesstoken_introsp-policy”,
“description”: “Can introspect tokens”,
“subjects”: [
“effect”: “allow”,
“resources”: [
“actions”: [
“conditions”: {}

But whenever I call the /oauth2/introspect rest endpoint I get the following error in the console:
level=error msg=“An error occurred” error=“Validator returned error A validator returned an error: The request could not be authorized: Token is inactive because it is malformed, expired or otherwise invalid”

The token I’m using to authenticate is working for other endpoints like /clients or /policies. What is it I’m missing here?

Thanks in advance.


What does the request look like (curl)?


The token I’m using to authenticate is working for other endpoints like /clients or /policies. What is it I’m missing here?

Does your client have the hydra.introspect scope?


Hi, thanks for your answers.
The curl command should look like this:
curl --request POST -k -H “Authorization:bearer z-anOmDU7q0QjsVuGAo13Ab-q7ZNZJPzRqDAiaqrsbY.YIiJvJ6SvLG2FblenlkBMpwTqMyRT50z8_VQ1DViceY” -F ‘token=z-anOmDU7q0QjsVuGAo13Ab-q7ZNZJPzRqDAiaqrsbY.YIiJvJ6SvLG2FblenlkBMpwTqMyRT50z8_VQ1DViceY’

I added the hydra.* scope which seems to work for hydra.clients and hydra.policies. Just to be sure I added the hydra.introspect scope to the client and requested a token with this scope, but still it won’t authorize.


Are you introspecting an access token or a refresh token? I seem to remember this happening with refresh tokens.


Hi, I’m trying to introspect my own token which is working fine for clients or policies.


I tried a bit more and I can validate the token with the binary with admin credentials.

./hydra token validate fcIpMKC4qKPxX5aRCvI1WYeLE-z1Kiat2B3YTbmBLWs.RfA7puDRyZuX7Cink6-cj1aAdP_5Ylr4e1nYbPJR_OE --skip-tls-verify
    "active": true,
    "aud": "admin",
    "client_id": "admin",
    "exp": 1522226359,
    "iat": 1522222759,
    "iss": "https://localhost:9001",
    "scope": "hydra.*",
    "sub": "admin"

But when I’m trying to verify this token using the admin token it won’t work through curl
curl --request POST -k -H "Authorization:bearer fcIpMKC4qKPxX5aRCvI1WYeLE-z1Kiat2B3YTbmBLWs.RfA7puDRyZuX7Cink6-cj1aAdP_5Ylr4e1nYbPJR_OE" -F 'token=fcIpMKC4qKPxX5aRCvI1WYeLE-z1Kiat2B3YTbmBLWs.RfA7puDRyZuX7Cink6-cj1aAdP_5Ylr4e1nYbPJR_OE' {"active":false}

Further random trying revealed that you have to send the data as Content-Type: application/x-www-form-urlencoded and not as form-data as the documentation here suggests.


We should probably throw a more meaningful error message here… Can you open an issue for that, so i don’t forget? Thanks!