Tokens

Utility endpoints for inspecting tokens and minting short-lived passports for cross-domain SSO.

See Authentication for the full token-type reference.

Validate

GET /v1/tokens/validate

Validate a token and return its claims. Mostly a legacy convenience for clients that can't decode JWTs locally. Modern clients should validate JWTs locally.

Auth: Public
Rate limit: 10 / 60s

GET/v1/tokens/validate?type=access

token (query)

type (query)

Query params

Field	Constraints
`token`	required. JWT to validate.
`type`	required. `access` \| `password_reset` \| `passport`.

Response — 200 OK

JSON

{
   "valid": true,
   "player_id": 42,
   "email": "anders@example.com",
   "roles": [ "ROLE_REGISTERED" ],
   "type": "access"
}

For invalid or expired tokens, valid is false and the claim fields are null.

Mint a short-lived passport token for cross-domain SSO. The passport is a one-shot JWT derived from the caller's access token. Pass it to GET /v1/gateway/customs on the destination domain to exchange it for a full session.

Auth: Bearer access token

GET/v1/tokens/passport

Response — 200 OK

JSON

{
   "passport": "eyJhbGciOi…",
   "expires_in": 60
}

Usage

text

1. On origin (lextris.com), call GET /v1/tokens/passport to get a passport.
2. Redirect the browser to:
      https://api.katforge.com/v1/gateway/customs?passport=<jwt>&redirect=https://stumper.gg/welcome
3. The API mints fresh tokens for stumper.gg's domain, sets the refresh cookie, and 302s to the redirect URL.

← PreviousRealms Next →System

Tokens

Validate

GET /v1/tokens/validate

Passport (cross-domain SSO)

GET /v1/tokens/passport