On this page
Token Service

Secure Your APIs with Tokens

A modern token-based architecture should be the cornerstone of your efforts in keeping your APIs secure and customers' log-in experience smooth. With Curity’s Token Service you can fully leverage the OAuth and OpenID Connect standards for distributed authorization.

Token Service

Secure and Flexible Token Management

To fully leverage OAuth and OpenID Connect for distributed authorization, a flexible Token Service is a necessity. The Curity Token Service is highly configurable, each flow can be customized with the type of token, how they are issued, what data is present and more.



OpenID Connect

OpenID Connect

OpenID Certified

OpenID Certified by Curity to the Basic, Implicit, Hybrid, Configuration, Dynamic, Form Post and 3rd Party-Init profiles of the OpenID Connect™ protocol as well as Financial-grade API (FAPI) and Client Initiated Backchannel Authentication (CIBA).

Elevate Trust for Access Control

Tokens play a central role in establishing trust and ensuring the API has enough information to make the right access decision, every time.

API Agility

API Agility

With Curity's Token Service you can build many APIs quickly without impacting security. Create a single security pattern to be used throughout your organization’s architecture. The philosophy is, design once, use forever. This saves development efforts and speeds up time to market.

Authorization API/api/moneytransfer

Enable the Right Access Decisions

The key to access control is to have the relevant data at any given moment. Useful tokens contain exactly the information that the API needs. With Curity's Token Service you can design and customize your tokens to suit specific situations and use cases.

LineDesigning the tokenDesigning the tokenDesigning the tokenDesigning the token
  1. Procedures
  2. Scripts
  3. Simple or Advanced

Designing the Token

Useful tokens contain exactly the information that the API needs. With Curity’s Token Service you can design and customize your tokens to suit specific situations and use cases

  1. Flexible and customizable
  2. Scriptable token issuance
  3. No need to code

Common Use Cases

Consistent, scalable and secure access management with the Curity Token Service.

Scalable Microservices with the Phantom Token Flow

Mobile app

Mobile App

Opaque Token


JWT Token


Opaque Token
JWT Token
Curity Identity Server

Token Service enables consistent security across microservices. Each microservice expects an access token in JSON Web Token (JWT) Format. On the Internet opaque tokens are used and traded for JWTs in the Gateway or the Ingress Service for internal use. Keeping the information safe, whilst ensuring access internally.

Safe access to information

Consistent security

Centralized trust

Why Curity Token Service?

Configure instead of code

Scale across microservices

Security beyond basic OAuth

Standardized access control

Protect your business apps and APIs

The OAuth Toolbox

Different types of apps and devices require different security components. With the Curity Token Service you'll have an OAuth toolbox with the right tools ready to use and easy to implement.

Single Page Apps

Single Page Applications

  • Code Flow
Web Applications

Web Applications

  • OIDC Code Flow
  • UserInfo
Server Applications

Server Applications

  • Client Credentials
  • Client JWT Assertion
API Gateway

API Gateway

  • Introspection
  • Phantom Token
TV Applications

TV Applications

  • Device Flow
  • Scope TTL
Secure Applications

Secure Applications

  • Mutual TLS & CIBA
  • Constrained Tokens
  • Encrypted Tokens
Partner Integrations

Partner Integrations

  • JWT Assertion
  • Consent
Mobile Applications

Mobile Applications

  • PKCE
  • DCR & DCRM
MITM protections

MITM protections

  • JAR & PAR
  • JARM


  • RSA
  • Elliptic Curve
  • EdDSA

Connecting to your databases

With the Curity Identity Server, you can obtain claims from any data source and store dynamic clients in your database of choice.


Fully Leverage the API Security Standards

Designing security around standards means faster integrations and more secure access, but it can seem complicated and complex. With Curity Token Service you can leverage the benefits of the leading API security standards in a more easily manageable way.

In Curity Token Service it is possible to issue many tokens for the same purpose or different purposes at will. This provides a greater flexibility when adapting to current and future needs of your system.

  • Introspectable
  • Customizable

A scope of access is defined in the list of scopes. In Curity Identity Server scopes are easy to work with, it is also possible to define Prefix Scopes which are dynamic.
For example, if a video streaming scope is needed for a particular film the prefix scope could be video_stream_and the requested scope video_stream_movie123. It is also possible to have a scope expire after a certain amount of time.

  • Configured Scope
  • Prefix Scope
  • Scope Expiration

The format of a token defines how it is encoded and being able to customize the format is important. Sometimes it's better to use Opaque (referece tokens) that cannot be decoded without the server, and sometimes value tokens such as JSON Web Tokens are more appropriate. In Curity Token Service you can customized this as needed.

  • JSON Web Token (JWT)
  • Opaque
  • Nonce

Tokens for APIs

A flexible approach to construct and use tokens, enabling large-scale API infrastructures.

Claims are the content of the Token. These can be retrieved from any source necessary by the Curity Token Service when constructing the tokens. Some claims are standard claims defined by OpenID Connect, but in Curity Token Service, the admin can also set up custom claims mapped against any source(s). The claims are then presented in the tokens when appropriate.

  • OIDC Claims
  • Custom Claims
  • Custom Sources
  • Transformations

Sometimes the tokens and all associated tokens needs to be revoked. Curity Token Service provides several means to do this, including the standard revocation specification.

  • Single token
  • All tokens or grant

Often referred to as the token type, the way the token can be presented defines how secure it is. By default, OAuth uses Bearer tokens, but Curity Token Service also support MTLS Sender Constrained tokens which requires the client to prove the ownership of a private key by presenting a Client Certificate to use the token. Protect against man-in-the-middle attacks using JAR, PAR, JARM and JWE Tokens.

  • Bearer
  • Proof-of-Possession
  • MTLS Sender Constrained
  • JWE Tokens
  • EdDSA

Everything through Configuration

With Curity Token Service you have the flexibility to configure in the way that works for you and suit your specific needs.

OAuth Client

Add capabilities


JWT Assertion

Assisted Token

Client Credentials

Code Flow

Device Authorizaton

Implicit Flow


Resource Owner Password Flow

Token Exchange

Configuration without Code

You can easily configure your system and processes via the graphical user interface without the need to code. You simply select your capabilities, click and drag.

Easy-to use admin UI

Create capabilities for each client

Claims Source
Select Attributes
  • name
  • nickName
  • profileUrl
  • title
  • userType...


Create Trust Using Claims

Claims are critical to reach the highest level in the API Security Maturity model; however, to be effective they need to suit your specific needs. In the Token Service you can easily create and configure how claims are managed, there are a range of attributes to choose from and you can also add your own custom ones.

Increase Trust

Flexible Setup

Manage Claims Centrally

Customize Your Token Procedures

Create your own custom scripts for more advanced control. This can be useful when creating procedures for example. It allows you to customize how the token is structured, or issue more than one token, either inside another token, or next to another token. Using scripts, you’re in full control of your tokens.


The JavaScript editor in the Web UI offers auto-completion based on JavaScript type annotations. It also includes all Curity-provided globals available to script and definitions of Java types exposed in the procedures API.


Introspect Token

Issue Tokens

function result(context) {
var responseData = {
active: context.presentedToken.active
if (context.presentedToken.active) {
appendObjectTo(context.presentedToken.data, responseData);
responseData.token_type = context.presentedToken.type;
responseData.client_id = context.presentedToken.delegation.clientId;
responseData.expired_scope = context.presentedToken.expiredScopes;
return responseData;
function result(context) {
var delegationData = context.getDefaultDelegationData();
var issuedDelegation = context.delegationIssuer.issue(delegationData);
var accessTokenData = context.getDefaultAccessTokenData();
var issuedAccessToken = context.accessTokenIssuer.issue(accessTokenData, issuedDelegation);
var refreshTokenData = context.getDefaultRefreshTokenData();
var issuedRefreshToken = context.refreshTokenIssuer.issue(refreshTokenData, issuedDelegation);
var responseData = {
access_token: issuedAccessToken,
scope : accessTokenData.scope,
refresh_token: issuedRefreshToken,
token_type: 'bearer',
expires_in: secondsUntil(accessTokenData.exp)
if (context.scopeNames.contains('openid')) {
var idTokenData = context.getDefaultIdTokenData();
var idTokenIssuer = context.idTokenIssuer;
idTokenData.at_hash = idTokenIssuer.atHash(issuedAccessToken);
responseData.id_token = idTokenIssuer.issue(idTokenData, issuedDelegation);
return responseData;
See Curity Identity Server in action

See Curity Identity Server in action

In this demo, we give you a comprehensive overview of the Curity Identity Server. What it is and what problems it helps you solve.

Watch Demo

Next steps

Ready to modernize IAM?

Start Today - Build security and improve ease of use to stay ahead of the competition.