Variable introspection_response_body_when_token_is_retrieved`Const`

introspection_response_body_when_token_is_retrieved: TObject<
    {
        active: TBoolean;
        client_id: TString;
        exp: TOptional<TNumber>;
        iat: TOptional<TNumber>;
        iss: TOptional<TString>;
        jti: TOptional<TString>;
        me: TString;
        scope: TString;
    },
> = ...

Introspection Response.

OAuth 2.0 Token Introspection requires only active in the introspection response. IndieAuth requires also me. It's not clear whether IndieAuth also requires client_id and scope.

An access token with no scope should be invalid, but I am not sure I should treat as invalid a refresh token that has no associated scope.

The presence of client_id and scope allows a stricter token validation, so I think it makes sense to err on the side of caution and require both.

See

Access Token Verification Response - IndieAuth
OAuth 2.0 Token Introspection (RFC 7662)

Variable introspection_response_body_when_token_is_retrievedConst

See

Settings

Variable introspection_response_body_when_token_is_retrieved`Const`