OAuth 2.0 API

If you are building a mobile application, and don’t want to (or can’t) use cookie-based sessions, you’ll need to generate access tokens using the OAuth 2.0 API provided by this library.

By default, this library will provide a POST route at /oauth/token. Simply make a POST request to this URI with the user’s credentials to generate tokens for the user. You can change this URI, or disable the feature entirely if you wish.

This topic describes how to configure the OAuth 2.0 API endpoint. For details on how to use it, see the OAuth 2.0 password grant section.

Configuration options

This feature supports several options that you can configure using code or markup (see the Configuration section):

  • enabled: Whether the feature is enabled. (Default: true)
  • uri: The path for this feature. (Default: /oauth/token)

Additionally, there are specific options for each supported OAuth 2.0 grant type:

Client credentials grant options

See the OAuth 2.0 client credentials grant topic for a detailed description of how the client credentials grant flow works.

  • enabled: Whether the client credentials Grant flow is enabled. (Default: true)
  • accessToken.ttl: The time-to-live (in seconds) of the generated access token. (Default: 3600)

Password grant options

See the OAuth 2.0 password grant topic in the Authentication section for a detailed description of how the password grant flow works.

  • enabled: Whether the password grant flow is enabled. (Default: true)
  • validationStrategy: Whether to validate the token locally or via the Stormpath API. (Default: local, see Token validation strategy)


Any unchanged options will retain their default values. See the Default configuration section to view the defaults.

Configuration example

To change the token endpoint URI and use remote (Stormpath API) validation of the Access Token, use this configuration (shown in YAML):

    uri: "/api/token"
      validationStrategy: "stormpath"

You could also set this configuration via code:

services.AddStormpath(new StormpathConfiguration()
    Web = new WebConfiguration()
        Oauth2 = new WebOauth2RouteConfiguration()
            Uri = "/api/token",
            Password = new WebOauth2PasswordGrantConfiguration()
                ValidationStrategy = WebOauth2TokenValidationStrategy.Stormpath

See the Configuration section for more details on how configuration works, or Default configuration to see the default values for this route.

Default configuration

Options that are not overridden by explicit configuration (see Configuration) will retain their default values.

For reference, the full default configuration for this route is shown as YAML below:

    enabled: true
    uri: "/oauth/token"
      enabled: true
        ttl: 3600
      enabled: true
      validationStrategy: "local"


You can also refer to the Example Stormpath configuration to see the entire default library configuration.