|
Enable OAuth 2.0
|
Displays the OAuth Security options. By default, all options are hidden.
Enabling OAuth 2.0 for this API will allow you to select which endpoints you wish to protect and configure OAuth for. These are only Mashery related OAuth settings, you still have to configure your API to handle OAuth as well.
|
|
Grant Types
|
The grant types that you want to support. Grant type is an authorization type that is necessary to obtain an access token. Note that the OAuth mechanism is enabled upon selection of any option related to OAuth. The following grant types can be selected in the
Grant Type section:
-
Authorization Code: Consists of two requests and two responses. The first request is to get the authorization code generated by authorization server. The code is then sent in the second request to get the access token.
-
Implicit Grant: Issues an access token directly on receiving the authorization request. The client is not authenticated by the authorization server in this grant type. The client can only send the client ID.
- Resource Owner Password Credentials: Issues an access token by using the resource owner password credentials. After providing the resource owner credentials, the access to client application is provided. This type must be used only when there is trust established between the resource owner and the client.
-
Client Credentials: Issues access token by using client credentials where the client requests access to secured resources or other resource owners.
|
|
Enable token based rate limits
|
The call limits for an access token. These limits override the API rate limits. The limits can be entered into
Calls per seconds and
Rate Limit Ceiling.
The token based rate limits are applied for the access token which can be reused based on the set limits.
Note: The token based rate limits are not the endpoint limits.
|
|
Calls per seconds
|
Throttle limit for access token. In most cases, the default value is 2 calls per second.
|
|
Rate Limit Ceiling
|
Quota limit for access token. In most cases, the default value is 1000 calls per day.
|
|
Enable TTL
|
Enables Time to Live (TTL). The token expires after the TTL limit is crossed.
|
|
Access Token TTL
|
If TTL is enabled, the time for which a token remains active needs to be entered. The time is displayed in the "day (d), hour (h), minute (m), and second (s)" format.
|
|
Access Token Type
|
The following token types can be entered:
- Bearer: A token type that is not encrypted and simpler than Message Authentication Code (MAC). The bearer token type is utilized by including the access token in the request.
- MAC: It is utilized by issuing an MAC key along with the access token. If you select the MAC token type, the MAC algorithm list is displayed.
|
|
Refresh Token
|
Enables developers to refresh the token.
|
|
Enable Refresh Token TTL
|
Enables the Refresh Token TTL option. The refresh token expires when the specified limit is crossed.
|
|
Secure Tokens
|
Allows you to use one-way hashed values to encrypt tokens. All requests that depend on unencrypted tokens fail, if selected.
|
|
TIBCO Mashery Token API
|
Enables TIBCO Mashery to handle Access token requests via a dedicated Endpoint Request endpoint.
|
|
Forward Headers
|
You can enable the following headers that you want TIBCO Mashery to include in the request to the API:
- Client ID (X-Mashery-Oauth-Client-Id)
- User context (X-Mashery-Oauth-User-Context)
- Access Token (X-Mashery-Oauth-Access-Token)
- Scope (X-Mashery-Oauth-Scope)
|
|
Refresh Token Time to Live (TTL)
|
Time in seconds for which a refresh token remains active. The time is displayed in the "day (d), hour (h), minute (m), and second (s)" format.
|
|
Force SSL Redirect
|
Allows TIBCO Mashery to reject the request for authorization codes or access tokens that consist of a redirection URL other than HTTPS.
|
|
Mandate Validation Against Pre-registered URL
|
Allows TIBCO Mashery to validate whether the client application provided a redirect URI field that matches with the callback URL specified when an application is registered.
|
|
Mac Algorithm
|
Allows you to choose one of the two algorithms to access the tokens:
|
|
Access Token
|
Enables users to generate a token to access an API.
|
|
Allow Multiple Tokens
|
Issues a unique access token for every access token requested irrespective of user context.
|
|
Authorization Code TTL
|
The time in seconds for which the authorization code remains active. The time is displayed in the "day (d), hour (h), minute (m), and second (s)" format.
|
