The required audience (the RFC 8707 resource). When set, a token whose introspection response does not list it among its audiences is rejected.
How the resource server authenticates at the introspection endpoint: clientSecretBasic (HTTP Basic, the default) or clientSecretPost (credentials in the form body).
Optional TTL for caching positive (active:true) introspection results, keyed by the raw token. Zero (the default) disables caching. Caching trades revocation latency for performance: a token revoked at the AS, or one whose own exp is sooner than the TTL, may be served as valid from cache until the entry expires. Entry expiry is clamped to the token's exp (RFC 7662) when present, so the staleness window never outlives the token itself.
The resource server's client identifier registered at the AS, used to authenticate the introspection request.
The resource server's client secret at the AS.
The authorization server's RFC 7662 introspection endpoint (POSTed to).
Scopes the token must carry. All must be present in the introspection response scope for the token to be accepted.
Configuration for introspectionVerifier.