AM's macaroon endpoint can be used to inspect and manipulate macaroons. Macaroons are designed to be manipulated locally using a Macaroon library. This can be done securely by anybody in possession of the Macaroon token without needing access to any keys at all.

AM's macaroon endpoint supports two actions:

  • inspect: returns details about the macaroon.

  • restrict: adds a new caveat to the macaroon, returning a new macaroon.

You must compose the path to the introspect endpoint addressing the specific realm where the token was issued. For example, https://openam.example.com:8443/openam/json/realms/root/token/macaroon/?_action=inspect.

The following example shows AM returning macaroon information:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "cache-control: no-cache" \
--data '{
    }' \
  "identifier": "1bmn1TQTONczbom-V2lCpaH4BUk",
  "location": "",
  "caveats": [
        "type": "first-party",
        "identifier": {
         "scope": "openid profile"
   "signature": "kmVBwqpoi4nwakksk3b8KcSZvlYYmjCPdUTrFKFnhEY"


OpenID Connect clients must ensure that the following information is present in the JSON:

  • The openid scope. For example, "scopes": ["profile", "openid"].

  • The id_token response type. For example, "response_types": ["code", "id_token code"].

Read a different version of :