| Permalink: |
Checking the JWT token
JWT token validation and metadata retrieval (compliant with the RFC 7662 OAuth 2.0 Token Introspection schema).
The endpoint indicates whether the token provided in the Authorization: Bearer header is active and, if so, returns its associated permissions (scopes) and identifiers. No real operations are performed.
Usage:
The caller provides their own token and receives information about that specific token. This is ideal for a client to verify that a token is still valid, has not been revoked, and possesses the necessary rights before initiating a series of operational requests.
URL¶
POST /V1/Introspect.ashx
Headers¶
Authorization: Bearer {JWT}is the token that needs to be verified. Issued on https://security.webmoney.com /.
Request body (JSON)¶
{
"active": true,
"token_type": "Bearer",
"scope": "trans transHist balance",
"jti": "9f7a3a9e-1b2c-4d5e-8f60-112233445566",
"exp": 1767225600,
"iat": 1767139200,
"iss": "w3s.webmoney.com",
"aud": "w3s.webmoney.com",
"sub": "111122223333",
"master": "999988887777",
"slave": "111122223333",
"purse": "Z123456789012"
}
Response fields:¶
| Field | Type | Description |
|---|---|---|
| active | bool | `true` — the token is valid, signed, not expired, and not revoked |
| token_type | string | Token type, always `Bearer` |
| scope | string | The list of issued rights separated by a space: `inv trans transHist balance msg msgHist` |
| jti | string | The unique identifier of the token (GUID) |
| exp | long | Validity period (Unix-time, seconds) |
| iat | long | Release time (Unix-time, seconds), if present |
| nbf | long | Not valid until (Unix-time, seconds), if present |
| iss | string | The token publisher |
| aud | string | The audience of the token |
| sub | string | Subject (matches with `slave`) |
| master | string | WMID of the control key (claim `master`) |
| slave | string | WMID of the token owner (claim `slave`) |
| purse | string | The wallet to which the token is linked (if issued with wallet rights) |
Fields with null or missing values in the response are omitted.
Response for invalid/revoked/expired token (JSON)¶
According to RFC 7662 §2.2 in this case, only one attribute is returned, without details.:
{
"active": false
}
The same answer is given if:
- the `Authorization` header is missing or does not start with `Bearer`;
- the token signature is not being verified;
- the validity period (`exp`) has expired;
- the token entry is missing from the database (revoked).
The method is not allowed (JSON)¶
{
"active": false
}
It is returned with the status 405 for all methods except POST.
What doesn't this endpoint do:¶
- Does not verify a specific request for a specific endpoint — only the token itself.
To check "whether my Transaction will pass with this body", use
The title is `X-Dry-Run: 1' on the combat endpoint (see below).
Connection with the dry-run mode (checking without performing an operation)¶
All combat endpoints `/V1/*` support the non-execution check mode:
if the header `X-Dry-Run: 1` (or the query parameter `?dryrun=1`)
is present, the request passes full token verification and body validation, but the actual
operation is not performed.
The response contains an additional field (JSON):
{
"reqn": 1730486400000,
"retval": 0,
"retdesc": "OK (dry-run)",
"dryrun": true
}
Use `Introspect` for a one-time token check and `X-Dry-Run`
for a pre-check of a specific call.
All JSON Interfaces with JWT authorization support the token verification mode without performing an operation - Dry-run.