I think you'd want to use a Quota that allows 1 request per 30 minutes (or whatever the lifetime of the token is), and make sure the Quota is distributed and synchronous.

In your policy flow you would have these policies, in this order:

• OAuthV2/VerifyAccessToken
• Quota

The VerifyAccessToken will succeed, as many times as the token is presented, for the 30 minute lifetime.

The Quota will accept exactly one request, and then will reject all future requests until 30 minutes have expired. After than window has expired, the quota will reset, but by that time the Token will be expired, so the first step (VerifyAccessToken) will never allow the token.

The quota policy should look something like this:

<Quota name='Quota-1'>
    <Identifier ref='access_token' />
    <Allow count='1'/>
    <Interval>30</Interval> <!-- or the lifetime of the token -->
    <TimeUnit>minute</TimeUnit>
    <Distributed>true</Distributed>
    <Synchronous>true</Synchronous>
    <PreciseAtSecondsLevel>true</PreciseAtSecondsLevel>
</Quota>

The "access_token" variable will be set by the OAuthV2/VerifyAccessToken policy.

You will want to consider- what happens when an app tries to get ANOTHER token? Repeatedly getting new tokens may be a way around your "1 use" requirement.

You may also want to insure that the token cannot be refreshed - do not send back a refresh token.

Also - you may want to insure that apps cannot repeatedly request new tokens. You could do that with another layer of Quota - for example allowing the issuance of only 1 token per day, per ... user... or whatever you want to use as the limiting factor.