Step 2: Get a token to use in configuration endpoints (required for steps 3-5)

Call the /login/token endpoint to request a token with the API scopes needed for configuration. When configuring Basic authorization for this call, use your OIDC configuration client ID as the username and the OIDC configuration client secret as the password.

It’s a good idea to create at least one extra configuration token policy, even if the token lifetimes and allowed scopes are identical to the configuration token policy issued by Akamai. Why? Well, suppose you accidentally delete your configuration token policy. (It can happen.) If you do that you’ll no longer have access to the OpenID Connect Configuration APIs, which makes it impossible to manage Hosted Login.

Note. Couldn’t you just create a new configuration token policy? Well, you could, except that creating a new token policy requires you to have a configuration access token, and there’s no way for you to get a configuration access token unless you already have a configuration token policy.

Request Template

curl -X POST \
  https://v1.api.<region><customer-id>/login/token \
   -H 'Authorization: Basic <Base64-encoded-client_id:client_secret>' \
   -d 'grant_type=client_credentials' \
   -d 'scope=<allowed-config-endpoints>' 

Example Request

curl -X POST \ \
  -H 'Authorization: Basic N2JhNTE2NjEtMWE3ZS0...1BVU1vbGdRRUVLQlpwdlRB' \
  -d 'grant_type=client_credentials' \
  -d 'scope=*:config/**'

Example Response

    "access_token": "abc1deA2BfgCDEFhGiHjIJKkL3l4MmnNopOPqQR-Srst-5T6UuvV7WXw8YZx9y0A",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "*:config/**"

The scope in this example allows full read/write access to all Hosted Login endpoints for your Customer ID. If you want to limit the scope to a specific endpoint or subset of endpoints, and/or you want to allow only certain actions on those endpoints, you can adjust this value accordingly. Scope formatting is documented here. 

Scope Examples 

To create a token that can ...

Use this scope syntax

Read (GET) all token policies, login policies, and OIDC clients


Read (GET) and configure (POST, PUT) all token policies


Read (GET) all token policies and all login policies (separated by a space)

'scope=.:config/tokenPolicies** .:config/loginPolicies**'

Read (GET) a specific login policy


Read (GET) and configure (PUT) a specific login policy


Read (GET) and configure (PUT) the token policy, login policy, and OIDC client for a specific property (separated by a space)

'scope=*:config/tokenPolicies/a123bcde-4f56-7890-gh12-i34j567k8l90 *:config/loginPolicies/1ab23c45-6789-0123-d4ef-5g678h90ijk1 *:config/clients/1ab23456-7c8d-90ef-g123-45hij6789012'

   Step 3: Create a Token Policy