Contact Free trial Login

OAuth 2 Policies concepts

To secure an API in Anypoint Platform using OAuth, use one of the following policies and the matching OAuth provider instead of the OAuth 2.0 Access Token Enforcement Using External Provider Policy and a Mule Provider:

  • OpenAM OAuth Token Enforcement policy

  • PingFederate OAuth Token Enforcement policy

  • OpenID Connect Access Token Enforcement Policy

Any of these token enforcement policies do not work with a Mule client app to access OAuth 2.0-protected resources outside Anypoint Platform. You need to configure the HTTP Requester connector.

An authorization enforcement policy, which you apply to an API in Anypoint Platform, connects to an OpenAM authorization server, an OpenID Connect Token Introspection endpoint, PingFederate authorization server, or a custom OAuth 2.0 provider.

Important: To use the OAuth 2.0 Access Token Enforcement Using External Provider policy, you need a Mule OAuth 2.0 provider to provide an access token. You cannot use any other OAuth 2.0 provider, such as Facebook, Google, or Azure.

If for some reason, you cannot use one of the recommended providers, use OAuth 2.0 Access Token Enforcement Using External Provider Policy for protecting your APIs using OAuth. Like other API Manager-enforced policies, the API needs to be registered in API Manager to apply and OAuth 2.0 Access Token policy.


  • You are an Anypoint Platform organization administrator or have permission to create or manage APIs in an environment.

  • You set up your Anypoint Platform organization as a federated organization using either OpenAM, OpenID Connect, or PingFederate. Alternatively, you have a Mule OAuth 2.0 provider configured and running.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.