Authorized access token (AAT) is now the default token format used in Pega Platform for OAuth 2.0 access tokens. AAT replaced the previously used opaque tokens.

Authorized access tokens

AATs are self-contained, compact, and digitally signed to be tamperproof.

Pega Platform manages AATs with autogenerated claims and a built-in key rotation strategy. Pega Platform uses JSON Web tokens (JWT) and JSON Web Signature (JWS) standards for managing authorized access tokens.

Note: AATs are fully backward compatible. They have the same ease of use as opaque tokens, which are used in versions of Pega Platform earlier than 8.5.

Sample AAT

The following image shows a sample AAT with information on what each part of the token contains:

• Enhanced refresh token strategy

  You now have more precise control over your refresh token expiration strategy. When an OAuth 2.0 client application requests a new access token using the refresh token grant type, the Pega Platform response includes the new access token as well as the refresh token. In the Token Management section, you choose the refresh token issuance mechanism and the expiration of various tokens issued by Pega Platform.

• Understanding dynamic client registration

  Use dynamic client registration (DCR) to dynamically register trusted third-party applications as OAuth 2.0 clients with Pega Platform. DCR create OAuth 2.0 clients for you, using Pega Platform defaults

• Enhanced refresh token strategy