Get an administrative access token

Access the OIDC Configuration Endpoints

Call the /login/token endpoint to request a token with the API scopes needed for configuration. When configuring Basic authorization for this call, use your OIDC configuration client ID as the username and the OIDC configuration client secret as the password.

It’s a good idea to create at least one extra configuration token policy, even if the token lifetimes and allowed scopes are identical to the configuration token policy issued by ​Akamai​. Why? Well, suppose you accidentally delete your configuration token policy. (It can happen.) If you do that you’ll no longer have access to the OpenID Connect Configuration APIs, which makes it impossible to manage Hosted Login.


Couldn’t you just create a new configuration token policy? Well, you could, except that creating a new token policy requires you to have a configuration access token, and there’s no way for you to get a configuration access token unless you already have a configuration token policy.

Request template

curl -X POST \
  https://v1.api.<region><customer-id>/login/token \
   -H 'Authorization: Basic <Base64-encoded-client_id:client_secret>' \
   -F 'grant_type=client_credentials' \
   -F 'scope=<allowed-config-endpoints>'

Example request

curl -X POST \ \
  -H 'Authorization: Basic N2JhNTE2NjEtMWE3ZS0...1BVU1vbGdRRUVLQlpwdlRB' \
  -F 'grant_type=client_credentials' \
  -F 'scope=*:config/**'

Example response

    "access_token": "abc1deA2BfgCDEFhGiHjIJKkL3l4MmnNopOPqQR-Srst-5T6UuvV7WXw8YZx9y0A",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "*:config/**"

The scope in this example allows full read/write access to all Hosted Login endpoints for your Customer ID. If you want to limit the scope to a specific endpoint or subset of endpoints, and/or you want to allow only certain actions on those endpoints, you can adjust this value accordingly. Scope formatting is documented here.

Scope examples

To create a token that can ...Use this scope syntax
Read (GET) all token policies, login policies, and OIDC clients'scope=.:config/**'
Read (GET) and configure (POST, PUT) all token policies'scope=*:config/tokenPolicies**'
Read (GET) all token policies and all login policies (separated by a space)'scope=.:config/tokenPolicies** .:config/loginPolicies**'
Read (GET) a specific login policy'scope=.:config/loginPolicies/1ab23c45-6789-0123-d4ef-5g678h90ijk1'
Read (GET) and configure (PUT) a specific login policy'scope=*:config/loginPolicies/1ab23c45-6789-0123-d4ef-5g678h90ijk1'
Read (GET) and configure (PUT) the token policy, login policy, and OIDC client for a specific property (separated by a space)'scope=*:config/tokenPolicies/a123bcde-4f56-7890-gh12-i34j567k8l90 *:config/loginPolicies/1ab23c45-6789-0123-d4ef-5g678h90ijk1 *:config/clients/1ab23456-7c8d-90ef-g123-45hij6789012'