Hello,
I’m wondering how persistent and temporary data is stored in the apigee X runtime plane.
For example, when I create tokens with the OauthV2 policy, is it possible as admin to have the list and administer the tokens created and know the status of each one (expired, active, revoked)?
Hello! Thanks for reaching out to the community. We’re on it and will share an answer when available. Thank you!
Hi @apipgeTester ,
Tokens generated through Apigee’s OAuthV2 policy are stored in Cassandra, a distributed NoSQL database.
Regarding your question about administering tokens (checking their status, revoking, etc.), this isn’t typically how OAuth tokens are managed in practice. Admins manage client credentials, but not the tokens themselves. Access tokens are designed to be short-lived for security reasons, and manually managing tokens would introduce complexity and potential security risks (e.g., exposing tokens to theft or mishandling).
Tokens are designed to expire quickly (usually within minutes or hours), so they don’t need to be manually managed or revoked. The idea is to let tokens expire naturally rather than try to keep track of them. In cases where tokens need to be invalidated immediately, it’s more secure to rotate the associated client credentials rather than manage individual tokens.
Also, in Apigee, setting long expiration times for OAuth tokens is considered an antipattern. Specifically, long-lived tokens can lead to token accumulation in the Cassandra datastore, which can negatively impact performance by using excessive disk space and slowing down token retrieval. It’s best to set short expiration times for tokens so that they expire quickly and get purged automatically, keeping the system efficient.
Additionally, tokens don’t always need to be stored at all. For instance, stateless tokens like signed JWTs don’t require server-side storage and allow you to verify the token without managing its state on the server. This provides a more scalable, secure approach by reducing the need for token management altogether. You can read more about JWT with OAuth in Apigee here: Using JWT with OAuth in Apigee.
However, if you absolutely need to manage tokens, Apigee Edge provides an API to search, revoke, or manage tokens. You can find more about it here: Apigee OAuth 2.0 Access Tokens API.
Lastly, If you’re concerned about token expiration configurations, CodeSent has a built-in rule that detects insecure token expiration settings. You can read more about it here: Insecure Token Expiration Configuration Rule.
Let me know if you need more details or have any other questions!
Best,
Nikita
Hello! @apipgeTester , glad to see you receive a helpful response regarding your question about Apigee’s token management. Thank you, @nmarkevich , for engaging and providing a detailed explanation!!!
If the provided solution response worked for you, please consider marking it as an accepted solution, this will help other community members facing similar questions to quickly identify solutions.