Can I get developer app and developer email when i get expired access token

I want to log developer email and app whenever an app is passing expired access token. I am not sure if this is achievable. Can anyone confirm if we can get these details using any of the available policy. Can a work around be implemented to get these details

0 4 431
4 REPLIES 4

No, I don't think it's directly possible.

There is a policy called GetOAuthV2Info which ostensibly retrieves information about an access token - like the developer email and so on. Unfortunately it will throw a fault when you try to retrieve information regarding an expired oauth token.

There is a "requesttoken" entity type that you can use with AccessEntity, but it also throws a fault with an expired token.

The OAuthV2 policy with Operation=VerifyAccessToken retrieves the information you seek, but as above, it throws a fault if the token is expired.

In any of the above cases, you can use the continueOnError="true" attribute on the policy, which will suppress or avoid the fault. But in this case, you will still not get the information you seek.

I can imagine that you might populate a cache entry with the token as the key, when the VerifyAccessToken succeeds. And then you could read the cache in the FaultRules when an expired token is detected. But there's no guarantee that the Cache entry will still be alive when the expired token is presented. So this won't solve every case.

Why do you want the information? What do you really want to do?

Thanks Dino,

In our splunk logs we can see a lot of expired token errors. For these particular error developer app and developer emails are empty. So can't really narrow down which consumer is sending expired access token continuously.


For other type of errors these details (dev app and email) are populated except for expired access token.

Not applicable

@AshwiniRai @Dino

I use below URL to get the ClientId (which is nothing but DevApp consumer key), by using this ClientId you can find the DevApp name. It can be used with expired token as well. But the token should be belongs to that org only.

https://api.enterprise.apigee.com/v1/o/{orgname}/oauth2/accesstokens/{token}

Let me know if this works for you.

Not applicable

Hi Ashwini,

Did you try using the analytics to create a customer report as shown here to dig that information? A sample shown below.

6312-screen-shot-2018-01-19-at-112848-am.png