We have a set of API's but we are not having any security mechanism implemented so far.

our API's will be accesed by web/mobile. So we are thinking to implement Client_credentials grant type.

As API's are already in place we want to enforce security from the global level (through flow hooks precondition) and creating a shared flow that validates the authtoken.

I followed the link - https://docs.apigee.com/api-platform/tutorials/secure-calls-your-api-through-oauth-20-client-credent...

I will be generating token through Oauth default proxy that is bundled or provided by default.

But, if i use preflow flow and attach the shared flow there. Then even while calling Oauth endpoint /oauth/client_credential/accesstoken?grant_type=client_credentials to generate the token i get an exception that should come for validate token.

{
    "fault": {
        "faultstring": "Invalid Access Token",
        "detail": {
            "errorcode": "keymanagement.service.invalid_access_token"
        }
    }
}

how can i apply it for all proxy/endpoints except Oauth. Is there any other better alternate way to handle this.