> ## Documentation Index > Fetch the complete documentation index at: https://help-plum.xoxoday.com/llms.txt > Use this file to discover all available pages before exploring further. # Validate Token > Validate whether the current `access_token` is still active. Pass the Bearer token in the `Authorization` header. At any point, if you want to validate if the `access_token` is valid or not, then you can call the endpoint as outlined on this page. The client application will pass the bearer token in the header. The response to the request will be as outlined on the right-hand side panel. ## Response Schema | **Property** | **Type** | **Description** | | ---------------------- | -------- | --------------------------------------------------------- | | access\_token | string | Newly generated access token for authenticated API calls. | | token\_type | string | Always `"bearer"`. | | expires\_in | number | Token validity duration in seconds. | | access\_token\_expiry | number | Epoch timestamp (ms) when the access token will expire. | | refresh\_token\_expiry | number | Epoch timestamp (ms) when the refresh token will expire. | ## OpenAPI ````yaml specs/reward-points-api.yaml GET /token openapi: 3.0.3 info: title: Xoxoday Reward Points API version: '1.2' description: > APIs for sending, fetching, and cancelling reward points in the Xoxoday ecosystem. **Auth endpoints** use operation-level server overrides against `https://stagingstores.xoxoday.com/chef/v1/oauth`. **Points operations** (`/fetchPoints`, `/sendPoints`, `/cancelPoints`) are virtual path suffixes — all three really dispatch to `POST /v1/oauth/api` via the body `query` field. OpenAPI does not allow two POST operations on the same path, so virtual suffixes are used for playground differentiation. **Cancel Points** uses `accounts.xoxoday.com` as its real host (operation-level server override applied). servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth/api description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth/api description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth/api description: Testing security: - BearerAuth: [] tags: - name: Authentication description: Token management — validate, refresh, and create user tokens. - name: Points description: Send, fetch, and cancel reward points. paths: /token: get: tags: - Authentication summary: Validate Token description: > Validate whether the current `access_token` is still active. Pass the Bearer token in the `Authorization` header. operationId: validateTokenPoints responses: '200': description: Token is valid. content: application/json: schema: type: object properties: access_token: type: string description: The validated access token. token_type: type: string description: Always `bearer`. expires_in: type: number description: Token validity duration in seconds. access_token_expiry: type: number description: Epoch timestamp (ms) when the access token expires. refresh_token_expiry: type: number description: Epoch timestamp (ms) when the refresh token expires. example: access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... token_type: bearer expires_in: 1296000 access_token_expiry: 1718000000000 refresh_token_expiry: 1720000000000 '401': $ref: '#/components/responses/Unauthorized' servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth description: Testing components: responses: Unauthorized: description: Missing or invalid access token. content: application/json: schema: type: object properties: error: type: string example: Unauthorized securitySchemes: BearerAuth: type: http scheme: bearer description: '`Authorization: Bearer `' ````