sso-oauth:IntrospectTokenWithIAM

Write

sso-oauth:IntrospectTokenWithIAM is a Write access-level action in the sso-oauth service. Grants permission to validate and retrieve information about active OAuth 2.0 access tokens and refresh tokens, including their associated scopes and permissions. This permission is used only by AWS managed applications and is not documented in the IAM Identity Center OIDC API Reference

Resource types

ARNs that sso-oauth:IntrospectTokenWithIAM can be scoped to in an IAM policy.

arn:${Partition}:sso::${AccountId}:application/${InstanceId}/${ApplicationId}
Application

Condition keys

No condition keys are documented for this action.

Dependent actions

To use sso-oauth:IntrospectTokenWithIAM you may also need to grant:

Example IAM policy

A minimal policy that allows sso-oauth:IntrospectTokenWithIAM. Replace "Resource": "*" with a specific ARN to follow least privilege.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSsooauthIntrospectTokenWithIAM",
      "Effect": "Allow",
      "Action": "sso-oauth:IntrospectTokenWithIAM",
      "Resource": "*"
    }
  ]
}

Related actions in sso-oauth

View all sso-oauth actions →