> ## Documentation Index > Fetch the complete documentation index at: https://help-plum.xoxoday.com/llms.txt > Use this file to discover all available pages before exploring further. # Validate Token > Validate whether the current `access_token` is still active. Pass the Bearer token in the `Authorization` header. At any point, if you want to validate if the `access_token` is valid or not, then you can call the endpoint as outlined on this page. The client application will pass the bearer token in the header. The response to the request will be as outlined on the right-hand side panel. ## OpenAPI ````yaml specs/storefront-api.yaml GET /token openapi: 3.0.3 info: title: Xoxoday Storefront Integration API version: '1.2' description: > APIs for integrating your platform with Xoxoday's hosted StoreFront via SSO. **Xoxoday-hosted endpoints** (Validate Token, Refresh Token, SSO Redirection) are called **by the client against Xoxoday's servers** and resolve against the default server. --- **Client-implemented callback endpoints** (Get Balance, Get Profile, Refund, Update Redemption) are APIs that **Xoxoday calls on your server**. You must build and host these endpoints. The path definitions below document the exact request and response contracts Xoxoday expects. Replace `https://your-server.example.com` in the server list with your actual base URL. servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth description: Sandbox (Xoxoday-hosted endpoints) - url: https://stores.xoxoday.com/chef/v1/oauth description: Production (Xoxoday-hosted endpoints) - url: https://canvas.xoxoday.com/chef/v1/oauth description: Testing (Xoxoday-hosted endpoints) - url: https://your-server.example.com description: Your server (client-implemented callback endpoints) security: - BearerAuth: [] tags: - name: Authentication description: Token management — validate and refresh access tokens. - name: SSO description: Single Sign-On redirection into Xoxoday StoreFront. - name: Callbacks description: > Client-implemented APIs. Xoxoday calls these on **your server** during StoreFront sessions. You must build and expose these endpoints. paths: /token: get: tags: - Authentication summary: Validate Token description: > Validate whether the current `access_token` is still active. Pass the Bearer token in the `Authorization` header. operationId: validateTokenStorefront responses: '200': description: Token is valid. content: application/json: schema: type: object properties: access_token: type: string description: The validated access token. token_type: type: string description: Always `bearer`. expires_in: type: number description: Token validity duration in seconds. access_token_expiry: type: number description: Epoch timestamp (ms) when the access token expires. refresh_token_expiry: type: number description: Epoch timestamp (ms) when the refresh token expires. example: access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... token_type: bearer expires_in: 1296000 access_token_expiry: 1718000000000 refresh_token_expiry: 1720000000000 '401': $ref: '#/components/responses/Unauthorized' components: responses: Unauthorized: description: Missing or invalid access token. content: application/json: schema: type: object properties: error: type: string example: Unauthorized securitySchemes: BearerAuth: type: http scheme: bearer description: '`Authorization: Bearer `' ````