Customizing Tokens and Authorization Codes
This pageapplies toApigee andApigee hybrid.
View Apigee Edge documentation.
About token and authorization code metadata
Apigee generates OAuth access tokens, refresh tokens, and authorization codes, and dispenses them to authenticated apps. At generation time, Apigee stores those tokens and codes. Later, when Apigee receives inbound API requests bearing these tokens or codes, Apigee uses the stored information to authorize the requests.
When Apigee generates these OAuth artifacts, it also attaches metadata to the token or code. For example, an access token is associated to name/value pairs that define expiration time, the associated app and developer, and other information.
The JSON representation of an Apigee access token looks like the following:
{"issued_at":"1372170159093","application_name":"ccd1803b-b557-4520-bd62-ddd3abf8e501","scope":"READ","status":"approved","api_product_list":"[Product1,Product2]","api_product_list_json":["Product1", "Product2"],"expires_in":"3599",//--in seconds"developer.email":"joe@weathersample.com","organization_id":"0","refresh_token":"82XMXgDyHTpFyXOaApj8C2AGIPnN2IZe","client_id":"deAVedE0W9Z9U35PAMaAJYphBJCGdrND","access_token":"shTUmeI1geSKin0TODcGLXBNe9vp","organization_name":"apifactory","refresh_count":"0"}
Adding custom attributes to OAuth tokens and authorization codes
Sometimes it's useful to attach custom metadata to an access token. For example, you might wish to add a user name, group memberships or roles for a user, a customer ID, a session identifier, or other arbitrary information to a token. In Apigee, these data are called "custom attributes." Subsequently, when the token is verified within the scope of an API request, that data is made available to the API proxy via context variables. An API proxy could make fine-grained authorization or routing decisions based on the custom data that is attached to the token.
To attach arbitrary data to a token, use the<Attributes> element inthe OAuthV2 policy. You can specify the name and value of the custom attribute. For example, here is a policy configuration that generates a token and attaches a custom attribute called "tenant_list" to the token:
<OAuthV2name="GenerateAccessToken"><Operation>GenerateAccessToken</Operation><ExpiresIn>600000</ExpiresIn><GenerateResponse/><SupportedGrantTypes><GrantType>client_credentials</GrantType></SupportedGrantTypes><GrantType>request.queryparam.grant_type</GrantType><Attributes><Attributename="tenant_list"ref="tenant_list_retrieved_from_external_service"display="false"/></Attributes></OAuthV2>
You can specify multiple custom attributes, and you can attach them implicitly to either an authorization code (<Operation>GenerateAuthorizationCode</Operation>) or a token (<Operation>GenerateAccessToken</Operation>) at the time of generation.
Whendisplay is set totrue (the default), custom attributes are returned in the response, where they may be viewable by the app, or passed on to the end user. Whendisplay is set tofalse, custom attributes are stored in the data store, but are not returned in the response message. In either case, the custom data is available to the policies within the API Proxy, after the token has been verified.
For more information about thedisplay option, see Displaying or hiding custom attributes in the response.
Getting custom access token attributes at runtime
When there is a call toOAuthV2/VerifyAccessToken, Apigee verifies the token by looking it up in the token store. Apigee then populates a set of context variables containing information about the token. These include:
organization_namedeveloper.iddeveloper.app.nameclient_idgrant_typetoken_typeaccess_tokenissued_atexpires_in//--in secondsstatusscopeapiproduct.name*
If there are any custom attributes on the token, those custom attributes are made available in a context variable with the nameaccesstoken.{custom_attribute}. For example, suppose a token is issued from the policy shown above. After verifying such a token, there would be an additional context variable namedaccesstoken.tenant_list, containing the value that was stored at the time the token was generated.
Policies or conditions can then refer to these variables and modify behavior based on the values stored within.
Setting and updating custom attributes at runtime
In some situations, you will want your API Proxy to update the metadata associated to an access token at runtime while an API call is being processed on Apigee. To help with this, Apigee provides policies for getting and setting token attributes. For more information, seeGet OAuth V2 Info policy andSet OAuth V2 Info policy.
In each of these policies, theAccessToken element should refer to a variable that contains the access token.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.