Table of Contents

Understanding authorized access tokens


Only available versions of this content are shown in the dropdown

Authorized access token (AAT) is now the default token format used in Pega Platform for OAuth 2.0 access tokens. AAT replaced the previously used opaque tokens.

Authorized access tokens

AATs are self-contained, compact, and digitally signed to be tamperproof.

Pega Platform manages AATs with autogenerated claims and a built-in key rotation strategy. Pega Platform uses JSON Web tokens (JWT) and JSON Web Signature (JWS) standards for managing authorized access tokens.

AATs are fully backward compatible. They have the same ease of use as opaque tokens, which are used in versions of Pega Platform earlier than 8.5.

Sample AAT

The following image shows a sample AAT with information on what each part of the token contains:

  • Enhanced refresh token strategy

    You now have more precise control over your refresh token expiration strategy. When an OAuth 2.0 client application requests a new access token using the refresh token grant type, the Pega Platform response includes the new access token as well as the refresh token. In the Token Management section, you choose the refresh token issuance mechanism and the expiration of various tokens issued by Pega Platform.

  • Understanding dynamic client registration

    Use dynamic client registration (DCR) to dynamically register trusted third-party applications as OAuth 2.0 clients with Pega Platform. DCR create OAuth 2.0 clients for you, using Pega Platform defaults

Related Content

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.