HTTP API: Inspecting Webtask Tokens
Inspect existing webtask tokens and obtain the embedded secrets and code
The HTTP API is deprecated for public usage and access will be removed soon.
The webtask token inspect endpoint is used to inspect an existing webtask token. The request provides the authenticating webtask token
A1 in the headers and the token for inspection
A2 in the query parameters.
Inspecting tokens is useful when you are storing derived tokens on behalf of your users in a multi-tenant setup. Inspecting tokens provides a mechanism to securely inspect the code and/or secrets that are embedded in a webtask that would otherwise be impossible to determine.
HTTPS GET /api/tokens/inspect?token=<A2_TOKEN> Authorization: Bearer <A1_TOKEN>
A2 token that is being inspected must have been created using the
A1 token that is being used to authenticate the token inspection call.
A1 token cannot have either the
ectx claims set.
When inspecting a webtask token with fixed code , the
fetch_code query parameter can be set to
true in order to resolve any stored code before sending the response.
The webtask's code will be available in the
code property of the response body.
When inspecting a webtask token with encrypted secrets , the
decrypt query parameter can be set to
true in order to decrypt any secrets before sending the response.
The decrypted secrets will be available in the