Opaque Token support - OTK 4.4
search cancel

Opaque Token support - OTK 4.4


Article ID: 243382


Updated On:


CA API Gateway


Deployed "Layer 7 API gateway version 10"

Does OTK 4.4 support Opaque token?

Opaque token requirement:

The opaque token is a random unique string of characters issued by the authorization server. It is one of the possible formats that access tokens or refresh tokens can take. The opaque token does not pass any identifiable information on the user so it’s impossible for the resource server to make any authorization decisions based on the opaque token itself. The opaque contains an identifier to information stored on the authorization server. To validate the token and retrieve the information on the token and the user, the resource server calls the authorization server and requests the token introspection.


Release : 10.0



The token is Opaque tokens are UUIDs they are random unique string of characters issued by the authorization server.

It can be encrypted, but OAUTH tokens do not require encryption in the OTK database because they are random UUID's generated as opaque tokens and not related to any identifiable client info.


"Is that any service\end point (like introspection url) available to exchange opaque access token with JWT access token?"

It is either Opaque or JWT.  And there is NO endpoint/service for exchanging the Opaque for JWT. 

Note you can look into customizes end point:  Either add a separate endpoint for this exchange (Opaque to JWT and vice versa) and leverage that appropriately before calling any OTK endpoints (token, introspect/validate, etc.,)  or they have to customize their OTK solution for this exchange.