Securing APIs Using OAuth and Phantom Tokens with NGINX

OAuth is the established method for securing APIs. To ensure a good balance between security, privacy, and developer experience, OAuth tokens need to be managed in the proper way. The Phantom Token flow describes a good practice for sending opaque tokens on the Internet and trading them for JWTs internally by leveraging a capable API gateway. In this session, Travis introduces Phantom Tokens and describes how to apply them to the normal OAuth and OpenID Connect flows using NGINX Controller.

Topics include:

• How to provide secure and privacy‑aware APIs
• OAuth and OpenID Connect
• When and how to use opaque tokens and JWTs
• Combining NGINX Controller with an external OAuth server