Configuring token management and revocation for a native OAuth provider

Select whether to use a native gateway (DataPower) or third party endpoint for token revocation.

About this task

Token management enables you to prevent replay attacks by configuring token revocation. API Connect supports token revocation using a native gateway (DataPower) or a third party endpoint. For a native gateway, quota enforcement is used to manage tokens. For a third party endpoint, a URL to an external service is used to manage tokens.

For more information, see the IETF RFC 7009 OAuth 2.0 Token Revocation.

Token management relies on gateway-peering to distribute the cache for revocation details within a gateway cluster node, and does not propagate across different gateway clusters. In order to enforce token management across different gateway clusters, you must use the external token store and set the Token Management Type to External in your native OAuth provider configuration.

One of the following roles is required to configure token management and revocation for a native OAuth Provider:

  • Organization Administrator
  • Owner
  • Custom role with the Settings > Manage permissions

You can select the token management settings page for a native OAuth provider immediately on completion of the creation operation detailed in Configuring a native OAuth provider, or you can update the token management settings for an existing native OAuth provider. If you want to update the token management settings for an existing native OAuth provider, complete the following steps before following the procedure described in this topic:

  1. Click Resources icon Resources > OAuth Providers.
  2. Select the required native OAuth provider.


  1. Select Token Management in the sidebar menu.
  2. Enable token management by selecting the check box.
  3. From the Type list, select either Native or External. Native points to DataPower as the token storage location; External points to a revocation URL for token storage.
    Note: If you are using the API Manager user interface then, for the External option to be available, you must be using DataPower® API Gateway Version or later, and the gateway service must be enabled in the Sandbox Catalog; for details on how to enable a gateway service in a Catalog, see Creating and configuring Catalogs
  4. For Native, select one or both of the Resource owner revocation path and Client revocation path.
    • Resource owner revocation path - Uses the standard OAuth revocation path to allow the resource owner (end user) to revoke the application permission.
    • Client revocation path - Uses the standard OAuth revocation path to allow the client (application) to revoke a single token when the application closes.
    For more information about managing tokens with the Native DataPower Gateway, see Token management with the native DataPower Gateway.
  5. For External, the settings depend on the gateway type, as follows:
    DataPower API Gateway:
    • Endpoint - the URL of the external management endpoint.
    • TLS Client Profile (optional) - the TLS client profile to secure connections.
    • Security - how to secure connections. The only supported method is basic authentication.
    • Basic authentication username (optional) - the user name for authentication.
    • Basic authentication password (optional) - the password for authentication.
    • Basic authentication request header name (optional) - the request header that contains the authentication string; if you supply both a request header name and user name/password, the request header authentication method is used.
    • Custom header pattern (optional) - the name pattern of the headers to use for sending additional information to the external management service.
    • Cache type - the cache type to control whether and how to cache positive responses. If you select Time to live, specify how long to keep responses in the cache; the default value is 900 seconds.
    • Fail on error - if selected, processing is stopped if the connection to the external management service fails.
    Note: For details of the JSON format that is required when exchanging messages with the external management service, see JSON format to exchange messages with the external management service.
    DataPower Gateway (v5 compatible):
    • Endpoint - Enter the URL to an external web server that contains information about access or refresh tokens. API Connect calls the URL to determine if the associated token can be trusted. The token server then checks a token blocklist (a data store of inactive tokens) to ensure that the token is still valid. If the token is still valid, API Connect continues the processing. For more information see Token revocation.
    • TLS Client Profile - Select a TLS profile to verify the external endpoint.
  6. Click Save when done.


You can use the OAuth Provider to secure the APIs in a catalog.