Apigee Edge generates and distributes OAuth access tokens to apps. Edge stores those access tokens and uses them to authorize consumer apps. Some other types of OAuth tokens are also generated by Edge. These include refresh tokens and authorization codes.

When Edge generates these OAuth artifacts, it also a generates 'profile' that contains metadata related to the token or code. For example, the default access token profile contains name/value pairs that define expiration time, the associated app and developer, and so on.

The JSON representation of an Edge access token looks like the following:

  "issued_at" : "1372170159093",
  "application_name" : "ccd1803b-b557-4520-bd62-ddd3abf8e501",
  "scope" : "READ",
  "status" : "approved",
  "api_product_list" : "[FreeProduct]",
  "expires_in" : "3599",
  "developer.email" : "joe@weathersample.com",
  "organization_id" : "0",
  "refresh_token" : "82XMXgDyHTpFyXOaApj8C2AGIPnN2IZe",
  "client_id" : "deAVedE0W9Z9U35PAMaAJYphBJCGdrND",
  "access_token" : "shTUmeI1geSKin0TODcGLXBNe9vp",
  "organization_name" : "apifactory",
  "refresh_count" : "0"

In some situations, you will need to update the profile of an access token. For example, you may want to embed a tag that is unique to you business. You might need to embed a department name, a customer ID, or, more technically, a session identifier, in the access token.

There are two ways to do this: Using an API call or using the SetOAuthV2Info policy. You can call the Edge management API to directly update the access token's profile. See the API documentation for the Update Access Token method.

Use the policy when you need tokens to be updated at runtime, such as at the time when the token or code is generated by Apigee Edge.


Below is an example policy used to update an OAuth 2.0 access token. The example below locates the access token on the request message by looking for a query parameter called access_token. When an access token is presented by a client app, the policy below will locate the access token in the query parameter. It will then update the access token's profile in two ways: it will added a property called department.id to the profile. It will also modify the access token's scope property to the value READ, WRITE.

<SetOAuthV2Info name="SetOAuthV2Info"> 
  <AccessToken ref="request.queryparam.access_token"></AccessToken>
    <Attribute name="department.id" ref="request.queryparam.department_id"></Attribute>
    <Attribute name="scope" ref="">READ, WRITE</Attribute>

If an attribute already exists in the access token profile, then it will be updated with the new value in the policy. If an attribute does not exist, then the attribute will be added to the access token's profile.

Configuring the SetOAuthV2Info policy

Configure the SetOAuthV2Info policy using the following elements.

The name attribute for this policy is restricted to these characters: A-Z0-9._\-$ %. However, the Management UI enforces additional restrictions, such as automatically removing characters that are not alphanumeric.

Field Name Description
AccessToken Use the ref attribute to identify the variable where the access token is located. For example, if the access token is attached to request message as a query parameter, specify request.queryparam.access_token.
Attributes A set of attributes in the access token profile that will be modified or augmented.

An individual attribute to update.

The name attribute identifies the property of the access token profile to be updated. For example, to modify the access token's scope property, specify scope as the value of the name attribute.

The ref attribute specifies either variable or a static setting whose value will be used as the value of the access token profile property that will be updated. For example to update the attribute scope with the value READ, WRITE:

<Attribute name="scope" ref="">READ, WRITE</Attribute>

Policy-specific variables

On success, the following flow variables will be set:

  • oauthv2accesstoken.{policyName}.access_token
  • oauthv2accesstoken.{policyName}.client_id
  • oauthv2accesstoken.{policyName}.refresh_count
  • oauthv2accesstoken.{policyName}.organization_name
  • oauthv2accesstoken.{policyName}.expires_in
  • oauthv2accesstoken.{policyName}.refresh_token_expires_in
  • oauthv2accesstoken.{policyName}.issued_at
  • oauthv2accesstoken.{policyName}.status
  • oauthv2accesstoken.{policyName}.api_product_list
  • oauthv2accesstoken.{policyName}.token_type
  • oauthv2accesstoken.{policyName}.{custom_attribute_name}

On failure, following variable will be set:

  • oauthv2accesstoken.{policyName}.failed: true

Policy schema

Each policy type is defined by an XML schema (.xsd). For reference, policy schemas are available on GitHub.

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)