Ana içeriğe geç

Gateway Token Endpoints (OAuth2 / JWT)

Where these endpoints run: API Gateway, not API Manager

Apinizer runs on two separate planes, and the token endpoints belong to the API Gateway:

  • API Manager (control plane). The administrative component where all configuration is made — API proxies, credentials, policies, settings. The Management API and APIops endpoints run here. The Manager is not exposed to the outside world; only administrators use it, to apply configuration changes. It is off the request hot path.
  • API Gateway (data plane). The high-performance runtime that processes every API request. The token endpoints run here, not on the Manager. They are open to client access: a client calls them to obtain a token and then uses that token to reach the proxied APIs. Because the Gateway carries production traffic, it is typically placed behind a load balancer and scaled horizontally.

In short: configuration changes go to the Manager (APIops); token acquisition and API access go to the Gateway (token API). The two are deliberately separated — the Manager stays private and administrative, while the token API is reachable by clients.

Overview

The gateway token service provides standards-based endpoints for:

  • Token Issuance — Issue OAuth2 (opaque) or JWT tokens via /auth/token, /auth/jwt, /credential/token, and /credential/jwt endpoints
  • Token Refresh — Refresh tokens via /auth/jwt/regenerate, /credential/jwt/regenerate
  • Token Introspection — Check token validity and details via /auth/introspect and /credential/introspect
  • Token Revocation — Invalidate tokens via /auth/revoke and /credential/revoke
  • Discovery — Discover token endpoints and supported methods via /.well-known/oauth-authorization-server
  • Public Keys — Retrieve signing keys for offline JWT validation via /.well-known/jwks.json

Two Management Modes

All token endpoints support two modes of operation:

  • "Manage From This Policy" — Token configuration and issuance are managed directly by the JWT/OAuth2 policy attached to an API proxy, proxy group, or policy group. Uses the /auth prefix.
  • "Manage From ACL" — Token settings are stored in a credential entity and controlled via credential access control lists. Uses the /credential prefix.

Both modes follow the same RFC standards (OAuth2 / OpenID Connect) and provide the same token types and grant methods.

Scope

To configure token validity periods, grant types, JWT signing algorithms, and scope handling behavior, see Token Management Settings in the Administration section.

En son tarihinde güncellendi