Send Docs Feedback

Note: Most user interface tasks can be performed in Edge Classic or the New Edge experience. For an overview, getting started topics, and release notes specific to the New Edge experience, see the docs.

Set OAuth V2 Info policy


Lets you add or update custom attributes associated with an access token. Custom attributes might include things like department name, a customer ID, or a session identifier. See also Customizing tokens and auth codes.

You can only add or modify custom attributes. You cannot use this policy to change fields like scope, status, expires_in, developer_email, client_id, org_name, or refresh_count. If an attribute already exists, this policy updates it. If it does not exist, the policy adds it. The access token referenced must be valid and in an approved state.



This policy can be attached in the following locations. See the Samples for specific attachment guidance in different situations.

ProxyEndpoint TargetEndpoint
    PreFlow Flow PostFlow PreFlow Flow PostFlow    
    PostFlow Flow PreFlow PostFlow Flow PreFlow    


Below is an example policy used to update an OAuth 2.0 access token. The example below locates the access token on the request message by looking for a query parameter called access_token. When an access token is presented by a client app, the policy below will locate the access token in the query parameter. It will then update the access token's profile. It adds a custom property called to the profile. 

<SetOAuthV2Info name="SetOAuthV2Info"> 
  <AccessToken ref="request.queryparam.access_token"></AccessToken>
    <Attribute name="" ref="request.queryparam.department_id"></Attribute>

If an attribute already exists in the access token profile, then it will be updated with the new value in the policy. If an attribute does not exist, then the attribute will be added to the access token's profile.

Element Reference

The element reference describes the elements and attributes of the SetOAuthV2 policy.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="SetOAuthV2Info-1">    
    <DisplayName>Set OAuth v2.0 Info 1</DisplayName>
    <AccessToken ref={some-variable}></AccessToken>

<SetOAuthV2Info> attributes

<SetOAuthV2Info async="false" continueOnError="false" enabled="true" name="Set-OAuth-v20-Info-1">

The following attributes are common to all policy parent elements.

Attribute Description Default Presence

The internal name of the policy. Characters you can use in the name are restricted to: A-Z0-9._\-$ %. However, the Edge management UI enforces additional restrictions, such as automatically removing characters that are not alphanumeric.

Optionally, use the <DisplayName> element to label the policy in the management UI proxy editor with a different, natural-language name.

N/A Required

Set to false to return an error when a policy fails. This is expected behavior for most policies.

Set to true to have flow execution continue even after a policy fails.

false Optional

Set to true to enforce the policy.

Set to false to "turn off" the policy. The policy will not be enforced even if it remains attached to a flow.

true Optional

This attribute is deprecated.

false Deprecated

<DisplayName> element

Use in addition to the name attribute to label the policy in the management UI proxy editor with a different, natural-language name.

<DisplayName>Policy Display Name</DisplayName>


If you omit this element, the value of the policy's name attribute is used.

Presence: Optional
Type: String


<AccessToken> element

Identifies the variable where the access token is located. For example, if the access token is attached to request message as a query parameter, specify request.queryparam.access_token. You can use any valid variable that references the token. Or, could pass in the literal token string (rare case).

 <AccessToken ref="request.queryparam.access_token"></AccessToken>
Default: N/A
Presence: Required
Type: String


Attribute Description Default Presence

An access token variable. Typically, retrieved from a flow variable.

N/A Optional

<Attributes> element

A set of attributes in the access token profile that will be modified or augmented.

Default: N/A
Presence: Required
Type: N/A

<Attributes>/<Attribute> element

An individual attribute to update.

The name attribute identifies the custom property of the access token profile to be updated. This example shows how to use a referenced variable value and a static value. 

    <Attribute name="" ref="request.queryparam.department_id"></Attribute>
    <Attribute name="foo">bar</Attribute>
Default: N/A
Presence: Optional
Type: N/A


Attribute Description Default Presence
name The name of the profile attribute to add or change. N/A  

The value to assign to the profile attribute.

N/A Optional


Flow variables

On success, the following flow variables will be set:

  • oauthv2accesstoken.{policyName}.access_token
  • oauthv2accesstoken.{policyName}.client_id
  • oauthv2accesstoken.{policyName}.refresh_count
  • oauthv2accesstoken.{policyName}.organization_name
  • oauthv2accesstoken.{policyName}.expires_in
  • oauthv2accesstoken.{policyName}.refresh_token_expires_in
  • oauthv2accesstoken.{policyName}.issued_at
  • oauthv2accesstoken.{policyName}.status
  • oauthv2accesstoken.{policyName}.api_product_list
  • oauthv2accesstoken.{policyName}.token_type
  • oauthv2accesstoken.{policyName}.{custom_attribute_name}


Each policy type is defined by an XML schema (.xsd). For reference, policy schemas are available on GitHub.

Error reference

This section describes the error messages and flow variables that are set when this policy triggers an error. This information is important to know if you are developing fault rules for a proxy. To learn more, see What you need to know about policy errors and Fault handling.

Error code prefix

steps.oauth.v2 (What's this?)

Runtime errors

These errors can occur when the policy executes. The error names shown below are the strings that are assigned to the variable when an error occurs. See the Fault variables section below for more details.

Error name HTTP status Cause
invalid_access_token 500 The access token sent to the policy is invalid.
expired_access_token 500 The access token sent to the policy is expired.

Deployment errors

Refer to the message reported in the UI for information about deployment errors.

Fault variables

These variables are set when this policy triggers an error at runtime.

You an use these variables to create Fault Rule conditions. For more information, see What you need to know about policy errors.

Variables set (Learn more) Where Example
[prefix].[policy_name].failed The [prefix] is oauthV2.
The [policy_name] is the name of the policy that threw the error.
oauthV2.SetTokenInfo.failed = true
[prefix].[policy_name] The [prefix] is oauthV2.
The [policy_name] is the name of the policy that threw the error. = invalid_access_token

[prefix].[policy_name].fault.cause The [prefix] is oauthV2.
The [policy_name] is the name of the policy that threw the error.
oauthV2.SetTokenInfo.cause = Invalid Access Token = [error_name] [error_name] is the specific error name to check for as listed in the table above. = "invalid_access_token"

Example error response

  "fault": {
    "faultstring": "Invalid Access Token",
    "detail": {
      "errorcode": "keymanagement.service.invalid_access_token"

Example fault rule

<FaultRule name=SetOAuthV2Info Faults">
        <Condition>( = "invalid_access_token")</Condition>
    <Condition>(oauthV2.failed = true) </Condition>

Related topics

Help or comments?