Skip to content

Access Token Introspection & Caching — Revision Notes

Core Principle

Opaque access tokens require introspection to establish identity.
Caching is a performance optimization, not a security guarantee.

Token Models

JWT access tokens - Identity is inside the token - Validated locally by resource server - Cannot be revoked individually - Revocation = wait for expiry

Opaque access tokens - Identity is behind the token - Must be introspected - Can be revoked immediately - Server-side state exists

When Introspection Happens

Normal / Low-Risk APIs

  • Introspect on first use
  • Cache result (memory / Redis)
  • Typical TTL: 30–120 seconds
  • Majority of requests avoid auth server

Acceptable revocation delay: seconds

High-Criticality Workflows

Examples: - Payments - Refunds - Privilege escalation - Admin operations - PII export - Account recovery

Rule

The more dangerous the operation, the fresher the trust decision must be.

Approaches Used

Pattern 1 — Always Introspect (Strongest)

API Request Flow

  1. Introspect access token
  2. Build ClaimsPrincipal
  3. Evaluate authorization policies

Characteristics - Immediate revocation - Highest security - Higher latency - Lower throughput

Used in - Banking cores - Admin backends - Regulated systems

Pattern 2 — Near-Zero TTL Cache (Most Common)

API Request Flow

  1. Check cache (TTL: 1–5 seconds)
  2. If cache miss → introspect token
  3. Cache result
  4. Build ClaimsPrincipal
  5. Authorize

Characteristics - Near-instant revocation - Prevents auth server overload - Best security/performance balance

Pattern 3 — Conditional Introspection (Risk-Based)

Decision Logic

  • Low-risk / read operations
    → use cached identity

  • High-risk / write operations
    → force introspection

Triggers - Write vs read - High-value action - Role elevation - Token age - Anomaly detection

Characteristics - Scales well - Strong security guarantees - Common in mature systems

Identity Establishment

Introspection Response Example

{
  "active": true,
  "sub": "user-123",
  "scope": "invoice.read invoice.write",
  "exp": 1730000000
}

Resource Server Steps

Verify active == true Create ClaimsPrincipal Run authorization policies From this point onward, authorization behaves exactly like JWT-based APIs. Design Rule (Interview-Grade) Access tokens are short-lived and cheap to lose. Refresh tokens and introspection are where control lives.