Problem

Does the API Gateway have an OAuth2 Token Introspection Endpoint?

Resolution

We have a "Token information service flow" as documented in the OAuth Guide, but the JSON returned by this flow does not contain an "active = true" element as required by the RFC. You can create an OAuth2 Token Introspection Endpoint by using JSON Add Node to mark the token returned by the information service as 'active' with the following sample policy: