The keystone management API has a validate token method that looks like:
GET /tokens/{tokenId}?belongsTo=tenantId
See <http://docs.openstack.org/incubation/identity-dev-guide/content/Validate_Token-d1e1914.html>
Why is the validate token method in the keystone admin API and not the service API?
If the requestor has a token, they can act as the user, creating and deleting servers, files, etc..., but we've decided to lock down the resource that says when their token expires, their username, and what roles and tenants they have. Why?