goauthentik · dominic-r · May 8, 2026 · May 8, 2026 · May 8, 2026
@@ -66,6 +66,12 @@ sequenceDiagram
 Due to how the OAuth2 provider endpoints are structured, you cannot create applications that use the slugs `authorize`, `token`, `device`, `userinfo`, `introspect`, or `revoke` as these would conflict with the global OAuth2 endpoints.
 :::
 
+### Cross-provider token introspection and revocation
+
+The token introspection and revocation endpoints are global OAuth2 endpoints, but access to tokens is still scoped by provider. A client can introspect or revoke tokens issued by the same OAuth2 provider that authenticated the request.
+
+For cross-provider introspection or revocation, authenticate the request with a confidential provider. Then, on the provider that issues the token, select the authenticating provider under **Federated OAuth2/OpenID Providers**. This allows the authenticating provider to introspect and revoke tokens issued by the federated provider.
+
 ### Additional configuration options with Redirect URIs
 
 When using an OAuth 2.0 provider in authentik, the OP must validate the provided redirect URI by the RP. An authentik admin can configure a list in the **Redirect URI** field on the Provider.

@@ -178,7 +178,7 @@ client_id=<client_id>
 
 Alternatively, you can set the `client_secret` parameter to `<inputJWT>`, for applications which can set the password from a file but not other parameters.
 
-Input JWTs must be valid access tokens issued by any of the configured **Federated OIDC Providers**. They must not have been revoked and must not have expired.
+Input JWTs must be valid access tokens issued by any of the configured **Federated OAuth2/OpenID Providers**. They must not have been revoked and must not have expired.
 
 To dynamically limit access based on the claims of the tokens, you can use [Expression policies](../../../customize/policies/types/expression/index.mdx).
 
@@ -204,11 +204,11 @@ If you receive an error response from authentik, it only includes a generic erro
 
 However, you can obtain more detailed error information from the [authentik server container logs](../../../troubleshooting/logs/logs.mdx) by searching for the `request_id` from the response.
 
-### OAuth introspection endpoint
+### OAuth introspection and revocation endpoints
 
-To use the OAuth introspection endpoint to obtain more information on a token, you must first authenticate to it.
+To use the OAuth introspection endpoint to obtain more information on a token, you must first authenticate to it. By default, a provider can introspect or revoke tokens that were issued by that same provider.
 
-You are only able to introspect a token from the same provider that was used to authenticate, or you must exchange the token for a token from the provider as described above.
+To let a confidential provider introspect or revoke tokens from another OAuth2 provider, open the provider that issues the token and add the calling provider under **Federated OAuth2/OpenID Providers**. This applies to both `/application/o/introspect/` and `/application/o/revoke/`.
 
 ### Event logging
 

@@ -45,7 +45,7 @@ Service account tokens have the following properties:
 
 - **Expiration**: By default, tokens expire after 360 days but can be configured to be non-expiring.
 - **Custom Expiration Date**: You can set a specific expiration date when creating the service account.
-- **Revocation**: Tokens can be revoked at any time by deleting them or generating new ones.
+- **Revocation**: Tokens can be revoked at any time by deleting them or generating new ones. OAuth2 access tokens associated with service accounts can also be introspected or revoked through the OAuth2 provider endpoints when the authenticating provider is the issuing provider or is configured for [cross-provider token introspection and revocation](../add-secure-apps/providers/oauth2/index.mdx#cross-provider-token-introspection-and-revocation).
 - **Automatic Rotation**: When a token expires, it's automatically rotated to maintain security.
 
 ## Managing Service Account Tokens