Skip to main content
Use this endpoint to verify that a bearer token is still active before executing a sensitive or irreversible operation. The response confirms the token’s identity context — including the associated client_id, granted authorities, and exact expiry timestamp — so you can make authorization decisions before committing to a downstream call.

Endpoint

GET https://api.shogun.io/api/v1/security/api/validate_token

Authentication

Pass your bearer token in the Authorization header: 
Authorization: Bearer <your-access-token>

Request example

curl -X GET https://api.shogun.io/api/v1/security/api/validate_token \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Responses

200 — Token is valid

The token is active and has not expired. The data object contains the full token metadata. 
{
  "status": true,
  "message": "Token is valid",
  "data": {
    "username": "kidashio",
    "client_id": "kidashio_client",
    "authorities": [
      "TRANSACTION_READ",
      "TRANSACTION_WRITE"
    ],
    "issued_at": "2024-01-15T10:30:00",
    "expires_at": "2024-01-16T10:30:00"
  }
}

Response fields

username
string
The username associated with the API client that owns this token.
client_id
string
The public client identifier for the API client that generated the token.
authorities
array of strings
The list of permission scopes granted to this token (for example, TRANSACTION_READ, TRANSACTION_WRITE). Check this list to confirm the token has the permissions required for the operation you intend to perform.
issued_at
string
ISO 8601 timestamp indicating when the token was originally issued.
expires_at
string
ISO 8601 timestamp indicating when the token will expire. Compare this against the current time to determine how much lifetime remains before you need to refresh.

401 — Token invalid or expired

Returned when the token is missing, malformed, or has passed its expiry time. You must generate a new token before retrying the request. 
{
  "status": false,
  "message": "Invalid authentication token"
}
On receiving a 401, call POST /security/api/generate_token with your client_id and client_secret to obtain a fresh token.