diff --git a/pkg/oidc/introspection.go b/pkg/oidc/introspection.go
index 98f3969..98a8e25 100644
--- a/pkg/oidc/introspection.go
+++ b/pkg/oidc/introspection.go
@@ -6,8 +6,6 @@ import (
 	"time"
 
 	"golang.org/x/text/language"
-
-	"github.com/caos/oidc/pkg/utils"
 )
 
 type IntrospectionRequest struct {
@@ -230,11 +228,16 @@ func (i *introspectionResponse) MarshalJSON() ([]byte, error) {
 		return b, nil
 	}
 
-	claims, err := json.Marshal(i.claims)
+	err = json.Unmarshal(b, &i.claims)
 	if err != nil {
 		return nil, fmt.Errorf("jws: invalid map of custom claims %v", i.claims)
 	}
-	return utils.ConcatenateJSON(b, claims)
+
+	return json.Marshal(i.claims)
+	//if err != nil {
+	//	return nil, fmt.Errorf("jws: invalid map of custom claims %v", i.claims)
+	//}
+	//return utils.ConcatenateJSON(b, claims)
 }
 
 func (i *introspectionResponse) UnmarshalJSON(data []byte) error {
diff --git a/pkg/op/storage.go b/pkg/op/storage.go
index c4da464..4072630 100644
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@@ -30,9 +30,10 @@ type OPStorage interface {
 	AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error
 	SetUserinfoFromScopes(ctx context.Context, userinfo oidc.UserInfoSetter, userID, clientID string, scopes []string) error
 	SetUserinfoFromToken(ctx context.Context, userinfo oidc.UserInfoSetter, tokenID, subject, origin string) error
+	SetIntrospectionFromToken(ctx context.Context, userinfo oidc.IntrospectionResponse, tokenID, subject, callerTokenID, callerSubject string) error
 	GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (map[string]interface{}, error)
 	GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error)
-	//ValidateJWTProfileScopes(ctx context.Context, userID string, scope oidc.Scopes) (oidc.Scopes, error)
+	ValidateJWTProfileScopes(ctx context.Context, userID string, scope oidc.Scopes) (oidc.Scopes, error)
 
 	//deprecated: use GetUserinfoFromScopes instead
 	GetUserinfoFromScopes(ctx context.Context, userID, clientID string, scopes []string) (oidc.UserInfo, error)
diff --git a/pkg/op/token_intospection.go b/pkg/op/token_intospection.go
index e6a5d4a..8ea4dbb 100644
--- a/pkg/op/token_intospection.go
+++ b/pkg/op/token_intospection.go
@@ -3,6 +3,7 @@ package op
 import (
 	"errors"
 	"net/http"
+	"strings"
 
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
@@ -22,20 +23,24 @@ func introspectionHandler(introspector Introspector) func(http.ResponseWriter, *
 }
 
 func Introspect(w http.ResponseWriter, r *http.Request, introspector Introspector) {
-	//validate authorization
-
+	callerToken := r.Header.Get("authorization")
 	response := oidc.NewIntrospectionResponse()
-	token, err := ParseTokenInrospectionRequest(r, introspector.Decoder())
-	if err != nil {
-		utils.MarshalJSON(w, response)
-		return
-	}
-	tokenID, subject, ok := getTokenIDAndSubject(r.Context(), introspector, token)
+	callerToken, callerSubject, ok := getTokenIDAndSubject(r.Context(), introspector, strings.TrimPrefix(callerToken, oidc.PrefixBearer))
 	if !ok {
 		utils.MarshalJSON(w, response)
 		return
 	}
-	err = introspector.Storage().SetUserinfoFromToken(r.Context(), response, tokenID, subject, r.Header.Get("origin"))
+	introspectionToken, err := ParseTokenInrospectionRequest(r, introspector.Decoder())
+	if err != nil {
+		utils.MarshalJSON(w, response)
+		return
+	}
+	tokenID, subject, ok := getTokenIDAndSubject(r.Context(), introspector, introspectionToken)
+	if !ok {
+		utils.MarshalJSON(w, response)
+		return
+	}
+	err = introspector.Storage().SetIntrospectionFromToken(r.Context(), response, tokenID, subject, callerToken, callerSubject)
 	if err != nil {
 		utils.MarshalJSON(w, response)
 		return
diff --git a/pkg/op/tokenrequest.go b/pkg/op/tokenrequest.go
index 5cb872e..e0729bf 100644
--- a/pkg/op/tokenrequest.go
+++ b/pkg/op/tokenrequest.go
@@ -191,9 +191,11 @@ func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizati
 		return
 	}
 
-	//TODO: filter scopes
-	tokenRequest.Scopes = ValidateJWTProfileScopes(tokenRequest., profileRequest.Scope)
-
+	tokenRequest.Scopes, err = exchanger.Storage().ValidateJWTProfileScopes(r.Context(), tokenRequest.Issuer, profileRequest.Scope)
+	if err != nil {
+		RequestError(w, r, err)
+		return
+	}
 	resp, err := CreateJWTTokenResponse(r.Context(), tokenRequest, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
@@ -215,24 +217,6 @@ func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTPr
 	return tokenReq, nil
 }
 
-func ValidateJWTProfileScopes(client Client, scopes []string) []string {
-	for i := len(scopes) - 1; i >= 0; i-- {
-		scope := scopes[i]
-		if !(scope == oidc.ScopeOpenID ||
-			scope == oidc.ScopeProfile ||
-			scope == oidc.ScopeEmail ||
-			scope == oidc.ScopePhone ||
-			scope == oidc.ScopeAddress ||
-			scope == oidc.ScopeOfflineAccess) && //TODO: allowed
-			!client.IsScopeAllowed(scope) {
-			scopes[i] = scopes[len(scopes)-1]
-			scopes[len(scopes)-1] = ""
-			scopes = scopes[:len(scopes)-1]
-		}
-	}
-	return scopes
-}
-
 func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenRequest, err := ParseTokenExchangeRequest(w, r)
 	if err != nil {