Token Service

Secure Your APIs with Tokens

A modern token-based architecture should be the cornerstone of your efforts in keeping your APIs secure and customers' log-in experience smooth. With Curity’s Token Service you can fully leverage the OAuth and OpenID Connect standards for distributed authorization.

Token Service

Secure and Flexible Token Management

To fully leverage OAuth and OpenID Connect for distributed authorization, a flexible Token Service is a necessity. The Curity Token Service is highly configurable, each flow can be customized with the type of token, how they are issued, what data is present and more.



OpenID Connect

OpenID Connect

OpenID Certified

OpenID Certified by Curity to the Basic, Implicit, Hybrid, Configuration, Dynamic, Form Post and 3rd Party-Init profiles of the OpenID Connect™ protocol as well as Financial-grade API (FAPI) and Client Initiated Backchannel Authentication (CIBA).

Elevate Trust for Access Control

Tokens play a central role in establishing trust and ensuring the API has enough information to make the right access decision, every time.

API Agility

With Curity’s Token Service you can build many APIs quickly without impacting security. Create a single security pattern to be used throughout your organization’s architecture. The philosophy is, design once, use forever. This saves development efforts and speeds up time to market.

API Agility
Authorization API/api/moneytransfer

Enable the Right Access Decisions

The key to access control is to have the relevant data at any given moment. Useful tokens contain exactly the information that the API needs. With Curity’s Token Service you can design and customize your tokens to suit specific situations and use cases.

Designing the Token

Useful tokens contain exactly the information that the API needs. With Curity’s Token Service you can design and customize your tokens to suit specific situations and use cases

  1. Flexible and customizable
  2. Scriptable token issuance
  3. No need to code
LineDesigning the tokenDesigning the tokenDesigning the tokenDesigning the token
  1. Procedures
  2. Scripts
  3. Simple or Advanced

Common Use Cases

Consistent, scalable and secure access management with the Curity Token Service.

Scalable Microservices with the Phantom Token Flow

Mobile app

Mobile App

Opaque Token


JWT Token


Opaque Token
JWT Token
Curity Identity Server

Token Service enables consistent security across microservices. Each microservice expects an access token in JSON Web Token (JWT) Format. On the Internet opaque tokens are used and traded for JWTs in the Gateway or the Ingress Service for internal use. Keeping the information safe, whilst ensuring access internally.

Safe access to information

Consistent security

Centralized Trust

Manage the Complexity with OAuth for Service Mesh

TokenBlue TokenRed Token
Grey API
Red Token
TokenBlue TokenRed Token
Red APICurity Identity ServerBlue Token
Red Token
Blue Token
Blue Token
Curity Identity ServerCurity Identity Server

Curity Token Service can help you manage the complexity of a Service Mesh setup. There are three main methods; Embed, Exchange and Share.


With Embedding the original token(s) contains other tokens that can be extracted and passed downstream. This is an efficient way of narrowing the scope of access for a token as it travels in the mesh.


Exchange is used when the service doesn't know beforehand that it needs to contact another service. It can then trade the incoming token for another one that is intended for the next service. Policies in Curity Identity Server can govern what tokens can be traded for other tokens.


Sharing is the most straightforward approach where the same token is passed from one service to the next


Take full advantage of
OAuth flexibility

Create a responsive
token structure

Overview of the Token Handler Pattern



LineSingle Page Application (SPA)


3rd party cookie

1st party cookie

3rd party cookie

1st party cookie

Token Handler

Token Handler

Authorization Server

Authorization Server

JWT Token
JWT Token


By using the Token Handler Pattern you can separate Web and API concerns to combine the best features of Single Page Apps with Website security. This requires a utility API to implement OAuth requests on behalf of the web client. In the browser only the latest secure HTTP Only cookies are used, with the SameSite=strict property. Your backend code does not need to deal with cookies, and instead a reverse proxy plugin deals with forwarding JWTs to APIs.

Best Browser Security

Great User Experience

Simple Code

Ensure Privacy with Pairwise Pseudonym Identifiers (PPID)



Curity Identity Server

PPID can be used when external organizations require information about the user, but privacy needs to be preserved. Each user is pseudonymized per organization. This means a user will always be represented with the same pseudonym in an organization, but two organizations cannot compare users identity attributes. This is especially useful to ensure compliance to regulation such as the GDPR.

Protect users' information
and privacy

Maintain full control of
information access

with regulations

Financial-grade APIs with mTLS

Curity Identity Server
Curity Identity Server

Financial-grade deployments have higher requirements for security and non-repudiation. The Curity Identity Server can help organizations achieve this, by using the "Mutual TLS Sender Constrained Tokens" methodology.

The client authenticates against Curity Identity Server using mutual TLS. This results in an access token that is bound to the client certificate. When the token is used, the client must use the same certificate to setup the mTLS channel towards the API or Gateway or else it will be rejected.

Achieve very high levels
of security

PSD2 & Open Banking

Enforce access policies in
APIs and gateways

Why Curity Token Service?

Configure instead of code

Scale across microservices

Security beyond basic OAuth

Standardized access control

Protect your business apps and APIs

The OAuth Toolbox

Different types of apps and devices require different security components. With the Curity Token Service you'll have an OAuth toolbox with the right tools ready to use and easy to implement.

Single Page Apps

Single Page Applications

  • Code Flow
Web Applications

Web Applications

  • OIDC Code Flow
  • UserInfo
Server Applications

Server Applications

  • Client Credentials
  • Client JWT Assertion
API Gateway

API Gateway

  • Introspection
  • Phantom Token
TV Applications

TV Applications

  • Device Flow
  • Scope TTL
Secure Applications

Secure Applications

  • Mutual TLS & CIBA
  • Constrained Tokens
  • Encrypted Tokens
Partner Integrations

Partner Integrations

  • JWT Assertion
  • Consent
Mobile Applications

Mobile Applications

  • PKCE
  • DCR & DCRM
MITM protections

MITM protections

  • JAR & PAR
  • JARM


  • RSA
  • Elliptic Curve
  • EdDSA

Connecting to your databases

With the Curity Identity Server, you can obtain claims from any data source and store dynamic clients in your database of choice.


Fully Leverage the API Security Standards

Designing security around standards means faster integrations and more secure access, but it can seem complicated and complex. With Curity Token Service you can leverage the benefits of the leading API security standards in a more easily manageable way.

In Curity Token Service it is possible to issue many tokens for the same purpose or different purposes at will. This provides a greater flexibility when adapting to current and future needs of your system.

  • Introspectable
  • Customizable

A scope of access is defined in the list of scopes. In Curity Identity Server scopes are easy to work with, it is also possible to define Prefix Scopes which are dynamic.
For example, if a video streaming scope is needed for a particular film the prefix scope could be video_stream_and the requested scope video_stream_movie123. It is also possible to have a scope expire after a certain amount of time.

  • Configured Scope
  • Prefix Scope
  • Scope Expiration

The format of a token defines how it is encoded and being able to customize the format is important. Sometimes it's better to use Opaque (referece tokens) that cannot be decoded without the server, and sometimes value tokens such as JSON Web Tokens are more appropriate. In Curity Token Service you can customized this as needed.

  • JSON Web Token (JWT)
  • Opaque
  • Nonce

Tokens for APIs

A flexible approach to construct and use tokens, enabling large-scale API infrastructures.

Claims are the content of the Token. These can be retrieved from any source necessary by the Curity Token Service when constructing the tokens. Some claims are standard claims defined by OpenID Connect, but in Curity Token Service, the admin can also set up custom claims mapped against any source(s). The claims are then presented in the tokens when appropriate.

  • OIDC Claims
  • Custom Claims
  • Custom Sources
  • Transformations

Sometimes the tokens and all associated tokens needs to be revoked. Curity Token Service provides several means to do this, including the standard revocation specification.

  • Single token
  • All tokens or grant

Often referred to as the token type, the way the token can be presented defines how secure it is. By default, OAuth uses Bearer tokens, but Curity Token Service also support MTLS Sender Constrained tokens which requires the client to prove the ownership of a private key by presenting a Client Certificate to use the token. Protect against man-in-the-middle attacks using JAR, PAR, JARM and JWE Tokens.

  • Bearer
  • Proof-of-Possession
  • MTLS Sender Constrained
  • JWE Tokens
  • EdDSA

The client may need specific information to be able to perform operations, this is easy to manage with Curity Identity Server and clients can be configured with unique claims mapped, or even request claims on the fly.

  • Mapping per client
  • Standard OIDC Claims
  • Request mapping

Curity Token Service offers a flexible way to manage consent. You can either use a standard OAuth consent screen (that can be made to match your brand) or using the more advanced consentor subsystem that allows external parties to provide the consent mechanism which includes signed consents.

  • Config per client
  • Branded per client
  • Signed Consent

Each application may have different requirements for authentication. Curity allows each client to be configured with it's own set of authentication mechanisms.

  • Config per client
  • Branding per client
  • Control by client
Client Features

Empower Your Clients

Protect and manage clients using the features required for specific applications.

A client can be configured and deployed with the rest of the configuration in Curity Identity Server, or it can be created dynamically using the standardized Dynamic Client Registration API. Any dynamically registered client can also be managed using the companion standard Dynamic Client Registration Management.

  • Configured
  • Dynamic Clients
  • Dynamic Client Management

Each application may have different authentication requirements. With Curity Identity Server each client can be configured with its own set of authentication mechanisms as it supports everything from basic authentication, to signed JWT assertions as well as using client certificates with mutual TLS.

  • Secret
  • Signed JWTs
  • MTLS
  • Public (no auth)

It's often necessary to share as little user information as possible with a client to make sure that privacy is upheld. Mechanisms like Pairwise Pseudonym identifiers (PPID) and Phantom Tokens ensure that privacy is maintained. Each client can also be configured to receive only the user claims it needs instead of providing the same information to all applications.

  • Pairwise Psedonymous Identifiers
  • Per client claims
  • Phantom Tokens

Everything through Configuration

With Curity Token Service you have the flexibility to configure in the way that works for you and suit your specific needs.

OAuth Client

Add capabilities


JWT Assertion

Assisted Token

Client Credentials

Code Flow

Device Authorizaton

Implicit Flow


Resource Owner Password Flow

Token Exchange

Configuration without code

You can easily configure your system and processes via the graphical user interface without the need to code. You simply select your capabilities, click and drag.

Easy-to use admin UI

Create capabilities for each client

Claims Source
Select Attributes
  • name
  • nickName
  • profileUrl
  • title
  • userType...


Create Trust Using Claims

Claims are critical to reach the highest level in the API Security Maturity model; however, to be effective they need to suit your specific needs. In the Token Service you can easily create and configure how claims are managed, there are a range of attributes to choose from and you can also add your own custom ones.

Increase Trust

Flexible Setup

Manage Claims Centrally

Customize Your Token Procedures

Create your own custom scripts for more advanced control. This can be useful when creating procedures for example. It allows you to customize how the token is structured, or issue more than one token, either inside another token, or next to another token. Using scripts, you’re in full control of your tokens.


The JavaScript editor in the Web UI offers auto-completion based on JavaScript type annotations. It also includes all Curity-provided globals available to script and definitions of Java types exposed in the procedures API.


Introspect Token

Issue Tokens

function result(context) {
    var responseData = {

    if ( {
        appendObjectTo(, responseData);
        responseData.token_type = context.presentedToken.type;
        responseData.client_id = context.presentedToken.delegation.clientId;
        responseData.expired_scope = context.presentedToken.expiredScopes;

    return responseData;
function result(context) {
    var delegationData = context.getDefaultDelegationData();
    var issuedDelegation = context.delegationIssuer.issue(delegationData);

    var accessTokenData = context.getDefaultAccessTokenData();
    var issuedAccessToken = context.accessTokenIssuer.issue(accessTokenData, issuedDelegation);

    var refreshTokenData = context.getDefaultRefreshTokenData();
    var issuedRefreshToken = context.refreshTokenIssuer.issue(refreshTokenData, issuedDelegation);

    var responseData = {
        access_token: issuedAccessToken,
        scope : accessTokenData.scope,
        refresh_token: issuedRefreshToken,
        token_type: 'bearer',
        expires_in: secondsUntil(accessTokenData.exp)

    if (context.scopeNames.contains('openid')) {
        var idTokenData = context.getDefaultIdTokenData();

        var idTokenIssuer = context.idTokenIssuer;
        idTokenData.at_hash = idTokenIssuer.atHash(issuedAccessToken);

        responseData.id_token = idTokenIssuer.issue(idTokenData, issuedDelegation);

    return responseData;
See Curity Identity Server in action

See Curity Identity Server in action

In this demo, we give you a comprehensive overview of the Curity Identity Server. What it is and what problems it helps you solve.

Watch Demo

Be up and Running in Minutes

Start Free Trial

Evaluate the Fit for Your Use Case

Schedule a Demo

Speak to an Identity Specialist

Contact Us