Validating a token is fairly simple and does not require the web site to perform any cryptography. In this example, the access token is sent to the Google endpoint located at https://accounts.google.com/o/oauth2/tokeninfo. The access token may be sent in the query string.

The Google endpoint responds with a JSON object that contains the following fields:

Name Value
issued_to  (the application that was issued the token)
scope  (the scopes that the user consented to)
audience  (the protected resource the token may be sent to)
user_id  (the identifier of the user)
expires_in  (the remaining lifetime of the token in seconds)

Validating the token requires at least checking the audience and the expiration time. The Python + AppEngine API code required to make the request to the Google endpoint and validate the response is shown below:

    # check the token audience using exact match (TOKENINFO)
    url = endpoints.TOKENINFO_ENDPOINT + '?access_token=' + a_t
    tokeninfo = json.loads(urlfetch.fetch(url).content)
    
    session['token_info'] = tokeninfo
    
    if(tokeninfo['audience'] != endpoints.CLIENT_ID):
      self.error(400)
      return
    
    if(int(tokeninfo['expires_in']) < 1):
      self.error(400)
      return