hi!

yes, the introspect endpoint is a requirement when using HTTP requests to the jsreport HTTP API. right now there is no other way to authenticate the token against the authorization server.

i am opening a new issue to check what MS is recommending in this case (validate with the token signature and issuer validation in the OpenID discovery document). you can subscribe in the issue for updates about the feature, however we don't have am exact time when we will check this.