{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://spring.io/projects/spring-security/schemas/token",
  "title": "Spring Security OAuth2 Token",
  "description": "OAuth 2.0 token response as issued by Spring Security or Spring Authorization Server",
  "type": "object",
  "required": ["access_token", "token_type"],
  "properties": {
    "access_token": {
      "type": "string",
      "description": "The access token issued by the authorization server"
    },
    "token_type": {
      "type": "string",
      "enum": ["Bearer"],
      "description": "Token type (always Bearer for OAuth 2.0)"
    },
    "expires_in": {
      "type": "integer",
      "minimum": 0,
      "description": "Lifetime of the access token in seconds"
    },
    "refresh_token": {
      "type": "string",
      "description": "Refresh token for obtaining new access tokens"
    },
    "scope": {
      "type": "string",
      "description": "Space-separated list of granted scopes"
    },
    "id_token": {
      "type": "string",
      "description": "JWT ID token (OpenID Connect only)"
    }
  },
  "definitions": {
    "IntrospectionResponse": {
      "title": "Token Introspection Response",
      "description": "RFC 7662 token introspection response",
      "type": "object",
      "required": ["active"],
      "properties": {
        "active": {
          "type": "boolean",
          "description": "Whether the token is active and valid"
        },
        "scope": {
          "type": "string"
        },
        "client_id": {
          "type": "string"
        },
        "username": {
          "type": "string"
        },
        "token_type": {
          "type": "string"
        },
        "exp": {
          "type": "integer",
          "description": "Expiration time as Unix timestamp"
        },
        "iat": {
          "type": "integer",
          "description": "Issued at time as Unix timestamp"
        },
        "nbf": {
          "type": "integer",
          "description": "Not before time as Unix timestamp"
        },
        "sub": {
          "type": "string",
          "description": "Subject (user identifier)"
        },
        "aud": {
          "oneOf": [
            { "type": "string" },
            { "type": "array", "items": { "type": "string" } }
          ],
          "description": "Intended audience"
        },
        "iss": {
          "type": "string",
          "format": "uri",
          "description": "Issuer URI"
        },
        "jti": {
          "type": "string",
          "description": "JWT ID"
        }
      }
    },
    "OAuthError": {
      "title": "OAuth2 Error Response",
      "type": "object",
      "required": ["error"],
      "properties": {
        "error": {
          "type": "string",
          "enum": [
            "invalid_request",
            "invalid_client",
            "invalid_grant",
            "unauthorized_client",
            "unsupported_grant_type",
            "invalid_scope",
            "access_denied",
            "server_error"
          ]
        },
        "error_description": {
          "type": "string"
        },
        "error_uri": {
          "type": "string",
          "format": "uri"
        }
      }
    }
  }
}