In v3.0 refresh token introspection there is potential for confusion on the requirements for success (token active) responses vs non-success (token inactive, not found etc) responses. This page clarifies the requirements.

Successful response

When an introspection request includes a refresh token that is valid and active for the Third Party, the exp field is required to be populated in a successful response. This is an additional constraint on top of RFC7662, in order to provide assurance to Third Parties that they will have required information (token expiry) available.

Example (minimal, non-normative) successful response:

{
  "active": true,
  "exp": 1726611345
}

Non-success response

In the case of a non-success response to an introspection request (e.g. token invalid or expired) RFC7662 applies, and the exp field is not required to be present. As per RFC7662, in a non-success response claims other than active should not be populated.

Example non-success response:

{
  "active": false
}

Payments NZ API standards

Token introspection clarification

Successful response

Non-success response