ExMCP.Plugs.TokenIntrospection (ex_mcp v0.10.0)

View Source

Server-side token introspection endpoint (RFC 7662).

This plug handles incoming token introspection requests from resource servers or other authorized parties. It validates the token using a configured callback and returns the token's metadata.

Usage

plug ExMCP.Plugs.TokenIntrospection,
  introspect_fn: fn token, token_type_hint ->
    case MyApp.TokenStore.lookup(token) do
      {:ok, token_data} ->
        {:ok, %{
          active: true,
          scope: token_data.scope,
          client_id: token_data.client_id,
          exp: token_data.expires_at,
          sub: token_data.subject
        }}
      :error ->
        {:ok, %{active: false}}
    end
  end

Options

  • :introspect_fn (required) - A function (token, token_type_hint) -> {:ok, map()} | {:error, term()}. Must return a map with at least an :active or "active" boolean field. When the token is invalid or unknown, return {:ok, %{active: false}}.

  • :authenticate_client_fn - Optional function (conn) -> {:ok, client_id} | {:error, term()}. If provided, the requesting client is authenticated before introspection proceeds. Per RFC 7662, the introspection endpoint SHOULD require authentication.