Access token with introspection vs. ID token with manual inspection

danilopiazza · May 4, 2026, 7:16am

My application (let’s call it “A”) is relying on Keycloak for authentication with OIDC, and everything works fine.

Now, from A (on the back-end side), I need to call another application (called “B”) and I’d like to integrate it with Keycloak (I can make changes to B).

Should I:

a) send the OpenID Connect ID Token to B, and have B validate it?
b) send the OAuth 2.0 Access Token to B, and have B call the Token Introspection endpoint?
c) any of the above would be fine?

I’m looking just for few generic pointers, as I wasn’t able to find advice in the OIDC specification.

Thanks!

dasniko · May 4, 2026, 9:07am

The ID token is always only issued to the client itself, it will not be forwarded.
The Access token is the one for be forwarded. As it is a JWT, it can be validated offline or by sending it to the introspection endpoint.

Topic		Replies	Views
Token introspection request between two Keycloak servers Getting advice	0	527	August 29, 2021
Token exchange using id_token Getting advice authentication , oidc	1	1496	March 25, 2022
Keycloak ID Token	2	375	November 22, 2024
Should lightweight access tokens always be introspected? Getting advice authentication , oidc	7	27	May 15, 2026
How can I validate the token obtained via Keycloak Login theme in REST API? Getting advice account-rest , admin-rest , authentication , oidc	0	714	December 14, 2021

Access token with introspection vs. ID token with manual inspection

Related topics