Reference Tokens

When using reference tokens, Duende IdentityServer stores the contents of the token in the persisted grant store and issues a unique identifier for this token back to the client.

The consumer of the token must use the introspection endpoint to validate the token.

You can set the token type of a client using the following client setting:

client.AccessTokenType = AccessTokenType.Reference;

Enabling an API to consume reference tokens

The introspection endpoint requires authentication - since the client of an introspection endpoint is typically an API, you configure the secret on the ApiResource:

    var api = new ApiResource("api1")
        ApiSecrets = { new Secret("secret".Sha256()) }
        Scopes = { "read", "write" }