Token/introspect always returns false even though tokens are valid

Running Keycloak v8.0.1

I can create valid tokens for my client, however, when I try to evaluate them using the token/introspect API, the result is always {“active”: False}, even though the session that was created when I generated the token is still valid (can see it in the UI under sessions).

I feel like perhaps my keycloak realm client lacks permissions to use the token/introspect api. Is there some switch I need to set or special permission or role that the client needs in order for introspection to succeed?

Wyllys Ingersoll