OAuth Access Token Information


The OAuth 2.0 Access Token Information filter is used to return a JSON description of the specified OAuth 2.0 access token. OAuth access tokens are used to grant access to specific resources in an HTTP service for a specific period of time (for example, photos on a photo sharing website). This enables users to grant third-party applications access to their resources without sharing all of their data and access permissions.

An OAuth access token can be sent to the Resource Server to access the protected resources of the Resource Owner (user). This token is a string that denotes a specific scope, lifetime, and other access attributes. For details on supported OAuth flows, see API Gateway OAuth 2.0 Authentication Flows.

Access Token Info Settings

Configure the following fields on this tab:

Verify access token is in this cache:

Click the browse button to select where to verify that the access token is present (for example, in the default OAuth Access Token Store). To add a store, right-click Access Token Stores, and select Add Access Token Store. You can select to Store in a cache or Store in a database. For more details, see the following topics:

The Purge expired tokens every setting specifies the time in seconds that the database or cache is polled for expired tokens. Defaults to 60 seconds.

The application registry is stored in the following KPS:

Enter the Key Property Store (KPS) in which the application registry is stored. The application registry contains the applications registered with the Authorization Server that are permitted access to specific scopes and resources. Defaults to the example ClientApplicationRegistry, which is available at the following URL:


For more details, see the topic on Key Property Stores.

Where to get access token from?:

Select one of the following:

  • In Query String:

    This is the default setting. Defaults to the access_token parameter.

  • In a selector:

    Defaults to the ${http.client.getCgiArgument('access_token')} selector. For more details on API Gateway selectors, see Selecting Configuration Values at Runtime.

Return additional Access Token parameters:

Click Add to return additional access token parameters, and enter the Name and Value in the dialog. For example, you could enter Department in Name, and the following selector in Value:



The settings on this tab configure service-level monitoring options such as whether the service stores usage metrics data to a database. This information can be used by the web-based API Gateway Manager tool to display service use, and by the Oracle API Gateway Analytics tool to produce reports on how the service is used. For details on the fields on this tab, see the Monitoring Options in Set Service Context.