Kong OAuth2 Introspection Plugin question

Hi Team,
I have a question regarding the Kong OAuth2 Introspection plugin.
I would like to know whether the access token that is passed from Kong to the Authorisation Server is in JWT format?
If yes, why Kong has to use the introspection endpoint when it can validate the JWT token itself?
Also, when the client is sending the access token to Kong, is it sending it via a parameter in an URL encoded request or via a Header attribute?

Thank you
Best Regards
Jon


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ