[Bug]: API Access with Client Credentials - Basic Authentication doesn't work as expected

[idavollen]

Preflight Checklist

• I could not find a solution in the documentation, the existing issues or discussions
• I have joined the ZITADEL chat

Version

latest

Describe the problem caused by this bug

both https://github.com/zitadel/examples-api-access-and-token-introspection/tree/main/service-user-client-credentials and https://zitadel.com/blog/2023-03-23-api-access-and-introspection-04.png at https://zitadel.com/blog/api-access-and-introspection shows API Access with Client Credentials - Basic Authentication. I run the exampleop and followed this flow:

1. generated the access_token https://myexample.com/realms/csd/oauth/token and got it back {"access_token":"9u5_ajxFVCtmL8HIN2itc-DmjrIzRFpHu65O0LA-cqL_Nnk_zO6ktR98tCC0ZIXcskOPt9c-5tCxFpdP","token_type":"Bearer","expires_in":299}
2. manually validate the access_token, simulating a RS,

curl --location 'https://myexample.com/realms/csd/oauth/introspect' \
--header 'Authorization: Bearer 9u5_ajxFVCtmL8HIN2itc-DmjrIzRFpHu65O0LA-cqL_Nnk_zO6ktR98tCC0ZIXcskOPt9c-5tCxFpdP' 

but got:
ErrorType=invalid_client Parent=client_id missing from request

To reproduce

1. generate a Bearer token with grant type of client credential
2. validate this Bearer token by calling the instrospect endpoint

Screenshots

No response

Expected behavior

The Bearer token should be successfully validated since this is how OAuth2/OIDC directs

Additional Context

No response

[livio-a]

As shown in the docs and example, the introspection is an protected endpoint and the client / API needs to authenticate itself in order to check the token (of the client / user).
In your curl you send the client / user token as a header. This needs to be sent as part of the request in the body:
https://zitadel.com/docs/apis/openidoauth/endpoints#introspection_endpoint