Hashing tokens for extra security

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.

To protect OAuth access and refresh tokens in the event of a database security breach, you can enable automatic token hashing in your Edge organization. When the feature is enabled, Edge automatically creates a hashed version of newly generated OAuth access and refresh tokens using the algorithm you specify. (Information about bulk-hashing existing tokens follows.) The non-hashed tokens are used in API calls, and Edge validates them against the hashed versions in the database.

If you are an Edge cloud customer

If you're an Edge cloud customer, contact Apigee Support to enable hashing on your organization and optionally to bulk hash existing tokens.

If you are an Edge for Private Cloud customer

Edge for Private Cloud administrators can enable token hashing by setting these organization-level properties using the management API call shown below:

features.isOAuthTokenHashingEnabled = true

features.OAuthTokenHashingAlgorithm = SHA1 | SHA256 | SHA384 | SHA512 | PLAIN

If you have existing hashed tokens and want to retain them until they expire, set the following properties in your organization, where the hashing algorithm matches the existing algorithm (for example, SHA1, the former Edge default). If the tokens were not hashed, use PLAIN.

features.isOAuthTokenFallbackHashingEnabled = true

features.OAuthTokenFallbackHashingAlgorithm = SHA1 | SHA256 | SHA384 | SHA512 | PLAIN

Here's a sample API call for enabling token hashing. Be sure to include all the existing organization properties in the payload. If you don't, all existing organization properties are overwritten by only the properties you set with this call.

curl -u email:password -X PUT -H "Content-type:application/xml" https://host:port/v1/o/{myorg} -d \
"<Organization type="trial" name="MyOrganization">
        <Property name="features.isOAuthTokenHashingEnabled">true</Property>
        <Property name="features.OAuthTokenHashingAlgorithm">SHA256</Property>
        <Property name="features.isOAuthTokenFallbackHashingEnabled">true</Property>
        <Property name="features.OAuthTokenFallbackHashingAlgorithm">SHA1</Property>
        <Property...(an existing property)
        <Property...(an existing property)
        <Property...(an existing property)