Header Image

OAuth Toolkit

Add OAuth & OpenID Connect to Your APIs


The Layer 7 OAuth Toolkit is a complete OAuth implementation that empowers you to control access to your APIs. It is comprised of:

  • An OAuth authorization server supporting various types of OAuth handshake with API-consuming applications
  • An OAuth resource server in the form of an API Gateway protecting access to your APIs at runtime
  • A token management system, which can be deployed in a distributed architecture

The authorization server and resource server can integrate with existing identity infrastructure (LDAP, MS AD, CA SiteMinder, Oracle Access Manager, RSA Access Manager, Tivoli Access Manager, Ping) as well other OAuth-capable components. 

The OAuth Toolkit supports the OAuth 1.0, 1.0a and 2.0 standards as well as extension grant types such as SAML bearer tokens and JWT (JSON Web Token) bearer tokens. Optional HMAC or RSA signatures, configurable TTL and customizable policy flows are supported for maximum interoperability. 

Layer 7 also provides an OpenID Connect implementation built on top of the OAuth Toolkit, which can be used to extend an existing identity directory into a state-of-the-art federated identity provider.


Video: OAuth Toolkit Demo


Webinar:  A Practical Guide to API Security & OAuth for the Enterprise featuring Forrester Research, Inc. 

Extensible Policies


Policies can be customized to meet the unique requirements of specific OAuth implementations and can easily be upgraded for the latest versions of the OAuth specification


Deployment Flexibility


Layer 7’s OAuth functionality can be implemented in-line for downstream token translation and mapping or as an end-point service


Standards Support


As a co-author of popular specifications like WS-Trust and WS-Federation, Layer 7 is committed to standards-based implementation

The Layer 7 OAuth Toolkit supports:

  • OAuth 1.0a
  • OAuth 2.0
  • OAuth WRAP
  • SAML 1.1/2.0
  • HMAC
  • RSA
  • SHA-1
  • SHA-2 (SHA-256, SHA-512)

Identity & Message-Level Security for APIs

OAuth Support
  • Support for a variety of OAuth implementations, including both two- and three-legged deployments
  • HMAC and RSA signature methods plus SHA-1, SHA-256 and SHA-512 encryption
Identity Federation
  • Support for Web browser-based SSO for federating on-premise identities to Web-based applications and Cloud services
  • Integrated SAML STS issuer for managing security for cross-domain and business-to-business relationships