This guide shows how to configure token introspection for an Express API using the MonoCloud Backend Node SDK.
With introspection, tokens are validated by sending them to the authorization server's introspection endpoint instead of being validated locally. This is required for opaque tokens and can also be enabled for JWT tokens.
Use introspection when:
This guide assumes you've completed the installation guide.
You should already have:
@monocloud/backend-node SDK installed.envAdd the client credentials and introspection setting to your .env file:
MONOCLOUD_BACKEND_TENANT_DOMAIN=https://<your-domain>
MONOCLOUD_BACKEND_AUDIENCE=https://<your-api-audience>
MONOCLOUD_BACKEND_CLIENT_ID=<your-client-id>
MONOCLOUD_BACKEND_CLIENT_SECRET=<your-client-secret>
MONOCLOUD_BACKEND_INTROSPECT_JWT_TOKENS=true
| Environment variable | Where to find the value in MonoCloud |
|---|---|
MONOCLOUD_BACKEND_CLIENT_ID | Client ID from your API settings |
MONOCLOUD_BACKEND_CLIENT_SECRET | Client Secret from your API settings |
Setting MONOCLOUD_BACKEND_INTROSPECT_JWT_TOKENS to true ensures that JWT access tokens are introspected by the authorization server rather than validated locally.
protectApi() automatically reads the introspection configuration from environment variables.
import "dotenv/config";
import express from "express";
import {
protectApi,
type AuthenticatedExpressRequest,
} from "@monocloud/backend-node/express";
const app = express();
app.use(express.json());
const protect = protectApi();
// All routes require a valid access token (validated through introspection)
app.use(protect());
app.get("/api/data", (req, res) => {
const { claims } = req as AuthenticatedExpressRequest;
res.json({ claims });
});
app.listen(3000, () => {
console.log("Server running on http://localhost:3000");
});
How it works:
MONOCLOUD_BACKEND_INTROSPECT_JWT_TOKENS is true, JWT tokens are also introspected instead of validated locally401 Unauthorized response