Tokens, userinfo, introspect & revoke
ID tokens (ES256), the userinfo endpoint, refresh-token rotation, RFC 7662 introspection, and RFC 7009 revocation.
After Authorization Code + PKCE, the token endpoint returns an OAuth token response. This page covers the token shape, userinfo, refresh rotation, introspection, and revocation.
Token response
{
"access_token": "eyJhbGciOiJFUzI1Ni…",
"id_token": "eyJhbGciOiJFUzI1Ni…",
"token_type": "Bearer",
"expires_in": 900,
"refresh_token": "…",
"scope": "openid profile email"
}id_token— an OIDC ID token signed with ES256. Verify it against the JWKS.access_token— present it asAuthorization: Bearer <token>to userinfo and your resource servers.
Userinfo
/v1/oauth/userinfoOIDC userinfo claimscurl https://api.qeetid.com/v1/oauth/userinfo \
-H "Authorization: Bearer $ACCESS_TOKEN"
# → { "sub": "…", "tenant_id": "…", … }Refresh-token rotation
Exchange a refresh token for a fresh pair at the same token endpoint. Refresh tokens rotate — the old one is invalidated, and replaying a rotated token revokes the chain (see Sessions → theft detection).
/v1/oauth/token-codegrant_type=refresh_tokencurl -X POST https://api.qeetid.com/v1/oauth/token-code \
-H "Content-Type: application/x-www-form-urlencoded" \
-d grant_type=refresh_token \
-d refresh_token=$REFRESH \
-d client_id=$CLIENT_IDIntrospection (RFC 7662)
Resource servers can ask whether a token is active and get its metadata.
/oauth/introspectIntrospect a tokencurl -X POST https://api.qeetid.com/oauth/introspect \
-u "$CLIENT_ID:$CLIENT_SECRET" \
-d token=$ACCESS_TOKEN
# → { "active": true, "sub": "…", "scope": "…", "exp": … }Revocation (RFC 7009)
Revoke an access or refresh token explicitly (e.g. on logout from a specific device).
/oauth/revokeRevoke a tokencurl -X POST https://api.qeetid.com/oauth/revoke \
-u "$CLIENT_ID:$CLIENT_SECRET" \
-d token=$REFRESHIntrospection and revocation use the same client authentication as the token endpoint (form params or HTTP Basic). For full session sign-out across the IdP, use RP-initiated logout.