I get AccessToken from client, and then passing to server. I need to check is that access token belong to my app not others.
Is there any way to get the CLIENT_ID from token, just like Facebook's debug token.
It is not documented but as far as I tested the access token consists of 3 parts separated with dots while the second part is 7 characters matching the first 7 characters of the client_id of the app requesting the authentication:
access_token: xxxxxxxxx.yyyyyyy.zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
client_id: yyyyyyy*************************
user_id: xxxxxxxxx (first part of the access token)
Although it does not matter if the access_token generation was initiated by another application, because it is a privilege to access the Instagram API on behalf of the authenticated user and it will not affect your application.