An API gateway or API manager provides a facade to access back-end APIs. This kind of reverse proxy is deployed in many API-based infrastructures to ensure that access to back-end services are authenticated and authorized.
In order to make these determinations, the gateway needs some proof of who the user and/or the caller is. This is commonly done in a token-based manner where the token or ticket is a representation of the end user and includes information about the calling client application that the user is operating. To obtain such a token, organizations are increasingly deploying OAuth 2 as the protocol that defines how such tokens should be issued. Once these tokens are issued and presented to the API gateway, they must be validated.
Due to the differences between token issuance and validation, using the same product for both will lead to suboptimal implementations; using the right tool for the each job, on the other hand, will increase time to market and ensure greater chances for success over the long run.