Validate Access Token


The OAuth 2.0 Validate Access Token filter is used to validate a specified access token contained in persistent storage. OAuth access tokens are used to grant access to specific resources in an HTTP service for a specific period of time (for example, photos on a photo sharing website). This enables users to grant third-party applications access to their resources without sharing all of their data and access permissions.

For more details on supported OAuth flows, see API Gateway OAuth 2.0 Authentication Flows.


Configure the following fields on this tab:


Enter a suitable name for this filter.

Verify access token is in this cache:

Click the browse button to select the cache in which to verify access token (for example, in the default OAuth Access Token Store). To add an access token store, right-click Access Token Stores, and select Add Access Token Store. You can select to Store in a cache or Store in a database. For more details, see the following topics:

The Purge expired tokens every setting specifies the time interval in seconds that the database or cache is polled for expired tokens. Defaults to every 60 seconds.

Location of access token:

Select one of the following:

  • In Authorization Header with prefix:

    The access token is in the Authorization header with the selected prefix. Defaults to Bearer. This is the default option.

  • In Query String with name:

    The access token is in the HTTP query string with the name specified in the text box.

  • In Form POST with name:

    The access token is in the HTTP form POST request with the name specified in the text box.

  • In Attribute:

    The access token is in the API Gateway message attribute specified in the text box.

Only accept access tokens that have been issued with the following scopes:

Select the OAuth scope(s) from the list registered in the API Gateway. For example, the default scopes are as follows: