Apinizer can work as an identity provider service in addition to authorization. Clients can generate tokens using Apinizer’s token generation service with their credentials. They can send the generated tokens within the message and perform authentication and authorization through these tokens instead of their own credentials.
You can generate OAuth2 or JWT tokens with Apinizer and perform security control in your API Proxies with these tokens.
Apinizer stores tokens generated for OAuth2 authentication in its own database and also caches them for performance.
In JWT authentication, Apinizer does not need any token storage area for token validation. Instead, it stores the RSA key belonging to the Worker in each environment. The token is validated by checking the RSA key with which the JWT token was generated. This check only verifies that the token was generated by Apinizer and that the data has not been corrupted or changed (remains as generated). In addition to this validation, the policy also checks the “claim” values within the token according to the API Proxy information from which the message came.
Apinizer prefers generating JWT tokens through API calls rather than sharing the key value with the client.
To view the description of the JWT token acquisition and OAuth2 token acquisition panel, you can visit the Token Acquisition Methods page. When acquiring tokens with JWT or OAuth2, if “Manage From This Policy” is selected, the CORS and XFF settings configured from the “Settings” tab of the API Proxy will be valid.However, if this option is not checked, if it is managed through “Credentials”, the CORS and XFF settings you added to the Worker in “Gateway Environments” will be valid. See. 
