Access Token using JWT


The OAuth 2.0 Access Token using JWT filter enables an OAuth client to request an access token using only a JSON Web Token (JWT). This supports the OAuth 2.0 JWT flow, which is used when the client application needs to directly access its own resources on the Resource Server. Only the client JWT token is used in this flow, the Resource Owner's credentials are not required. A JWT token is a JSON-based security token encoding that enables identity and security information to be shared across security domains. For more details on supported OAuth flows, see API Gateway OAuth 2.0 Authentication Flows.

OAuth access tokens are used to grant access to specific resources in an HTTP service for a specific period of time (for example, photos on a photo sharing website). This enables users to grant third-party applications access to their resources without sharing all of their data and access permissions. An OAuth access token can be sent to the Resource Server to access the protected resources of the Resource Owner (user). This token is a string that denotes a specific scope, lifetime, and other access attributes.

Application Validation

Configure the following fields on this tab:

The application registry is stored in the following KPS:

Enter the Key Property Store (KPS) in which the application registry is stored. The application registry contains the applications registered with the Authorization Server that are permitted access to specific scopes and resources. Defaults to the example ClientApplicationRegistry, which is available at the following URL:


For more details, see the topic on Key Property Stores.

Audience (aud) must contain the following URI:

Enter the JWT aud (intended audience). The JWT must contain an aud URI that identifies the Authorization Server, or service provider domain, as an intended audience. The Authorization Server must also verify that it is an intended audience for the JWT. Defaults to http://apiserver/api/oauth/token.

Validate Scopes:

Select whether to validate the OAuth scopes in the incoming message against the scopes registered in the API Gateway. For example, select Libraries -> OAuth Scopes in the Policy Studio to view the default scopes:


Access Token

Configure the following fields on the this tab:

Cache Access Token Here:

Click the browse button to select where to cache the access token (for example, in the default OAuth Access Token Store). To add an access token store, right-click Access Token Stores, and select Add Access Token Store. You can select to Store in a cache or Store in a database. For more details, see the following topics:

The Purge expired tokens every setting specifies the time interval in seconds that the database or cache is polled for expired tokens. Defaults to every 60 seconds.

Access Token Expiry (in secs):

Enter the number of seconds before the access token expires. Defaults to 3600 (one hour).

Access Token Length:

Enter the number of characters in the access token. Defaults to 54.

Access Token Type:

Enter the access token type. This provides the client with information required to use the access token to make a protected resource request. The client cannot use an access token if it does not understand the token type. Defaults to Bearer.

Include Refresh Token:

Select whether to include a refresh token. This is a token issued by the Authorization Server to the client that can be used to obtain a new access token. This setting is unselected by default.

Refresh Token Expiry (in secs):

When Include Refresh Token is selected, enter the number of seconds before the refresh token expires. Defaults to 43200 (twelve hours).

Refresh Token Length:

When Include Refresh Token is selected, enter the number of characters in the refresh token. Defaults to 46.

Store additional Access Token parameters:

Click Add to store additional access token parameters, and enter the Name and Value in the dialog (for example, Department and Engineering).


The settings on this tab configure service-level monitoring options such as whether the service stores usage metrics data to a database. This information can be used by the web-based API Gateway Manager tool to display service use, and by the Oracle API Gateway Analytics tool to produce reports on how the service is used. For details on the fields on this tab, see the Monitoring Options in Set Service Context.