> ## Documentation Index
> Fetch the complete documentation index at: https://help-plum.xoxoday.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Validate Token

> Validate whether the current `access_token` is still active. Pass the Bearer token in the `Authorization` header. Note: `expires_in` is in seconds.


| \*\*Parameter \*\* | \*\* Type \*\* | \*\* Description\*\*                                                                          |
| ------------------ | -------------- | --------------------------------------------------------------------------------------------- |
| **access\_token**  | string         | The validated access token issued by Xoxoday. Used for authorization in subsequent API calls. |
| **token\_type**    | string         | Indicates the type of token. Always returned as `"bearer"`.                                   |
| **expires\_in**    | number         | Epoch timestamp representing when the token will expire.                                      |

<br />

At any point, if you want to validate if the `access_token` is valid or not, then you can call the endpoint as outlined on this page. The client application will pass the bearer token in the header. The response to the request will be as outlined on the right-hand side panel.

> Note: `expires_in` is in seconds.


## OpenAPI

````yaml specs/rewards-auth.yaml GET /token
openapi: 3.0.3
info:
  title: Xoxoday Rewards API – Authentication
  version: '1.2'
  description: >
    Token management for the Rewards API.

    Both paths resolve correctly against the default server — no virtual paths
    needed.
servers:
  - url: https://stagingstores.xoxoday.com/chef/v1/oauth
    description: Sandbox
  - url: https://accounts.xoxoday.com/chef/v1/oauth
    description: Production
  - url: https://canvas.xoxoday.com/chef/v1/oauth
    description: Testing
security:
  - BearerAuth: []
tags:
  - name: Authentication
paths:
  /token:
    get:
      tags:
        - Authentication
      summary: Validate Token
      description: >
        Validate whether the current `access_token` is still active. Pass the
        Bearer token in the `Authorization` header. Note: `expires_in` is in
        seconds.
      operationId: validateTokenRewards
      responses:
        '200':
          description: Token is valid.
          content:
            application/json:
              schema:
                type: object
                properties:
                  access_token:
                    type: string
                    description: The validated access token issued by Xoxoday.
                  token_type:
                    type: string
                    description: Always `bearer`.
                  expires_in:
                    type: number
                    description: >-
                      Epoch timestamp representing when the token will expire
                      (seconds).
              example:
                access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
                token_type: bearer
                expires_in: 1296000
        '401':
          $ref: '#/components/responses/Unauthorized'
components:
  responses:
    Unauthorized:
      description: Missing or invalid access token.
      content:
        application/json:
          schema:
            type: object
            properties:
              error:
                type: string
                example: Unauthorized
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: '`Authorization: Bearer <access_token>`'

````