Contact Us 1-800-596-4880

OAuth 2.0 Access Token Policies

To secure an API in Anypoint Platform using OAuth, using one of the following policies and the matching OAuth provider is recommended.

  • OpenAM OAuth Token Enforcement policy

  • PingFederate OAuth Token Enforcement policy

  • OpenID Connect Access Token Enforcement Policy

You need to set up an OpenAM, PingFederate, or Dynamic Client Registration-compliant identity provider to use a recommended policy. If for some reason, you cannot use a recommended provider, use OAuth 2.0 Access Token Enforcement Using External Provider Policy. You must then use a Mule Provider.

None of the token enforcement policies work with a Mule client app to access OAuth 2.0-protected resources outside Anypoint Platform. You need to configure the HTTP Requester connector for this purpose.

An authorization enforcement policy, which you apply to an API in Anypoint Platform, connects to an OpenAM authorization server, PingFederate authorization server, OpenID Connect Token Introspection endpoint, or custom OAuth 2.0 provider.

Important: To use the OAuth 2.0 Access Token Enforcement Using External Provider policy, you need a Mule OAuth 2.0 provider to provide an access token. You cannot use any other OAuth 2.0 provider, such as Facebook, Google, or Azure.

Like other API Manager-enforced policies, the API needs to be registered in API Manager to apply and use any OAuth 2.0 access token policy.


  • You are an Anypoint Platform organization administrator or have permission to create or manage APIs in an environment.

  • You set up your Anypoint Platform organization as a federated organization using either OpenAM, OpenID Connect, or PingFederate. See link below. Alternatively, you have a Mule OAuth 2.0 provider configured and running.

View on GitHub