AM 7.2.2


AM’s macaroon endpoint can be used to inspect and manipulate macaroons. Macaroons are designed to be manipulated locally using a macaroon library. This can be done securely by anybody in possession of the macaroon token without needing access to any keys at all.

AM’s macaroon endpoint supports two actions:

  • inspect: returns details about the macaroon.

  • restrict: adds a new caveat to the macaroon, returning a new macaroon.

You must compose the path to the introspect endpoint addressing the specific realm where the token was issued. For example,

The following example shows AM returning macaroon information:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "cache-control: no-cache" \
--data '{
    }' \
  "identifier": "1bmn1TQTONczbom-V2lCpaH4BUk",
  "location": "",
  "caveats": [
        "type": "first-party",
        "identifier": {
         "scope": "openid profile"
   "signature": "kmVBwqpoi4nwakksk3b8KcSZvlYYmjCPdUTrFKFnhEY"

OpenID Connect clients must ensure that the following information is present in the JSON:

  • The openid scope. For example, "scopes": ["profile", "openid"].

  • The id_token response type. For example, "response_types": ["code", "id_token code"].

Copyright © 2010-2024 ForgeRock, all rights reserved.