I generated an access token using client id(apikey)_1 and client secret_1.
Now i am using that access token generated above with a GET resource call and pass api key2. And its working. . But i want restrict this that only the api key1 which generated the access token can use that to access a resource.
Note - apikey1 and apikey2 both are authorized to access the resource. We want to restrict use of anyone else access token however.
Please let me know how to implement it.
When you validate the access_token Apigee will populate a variable for clientid (check the variables in the trace tool on the policy you're using validate the token). It should also populate the product that is associated with the key.
While you can build policies around a client_id, it's better to use products. Products allow you to restrict access by resource and are tied to the client_id that generates the access_token.
See the product documentation on Apigee at http://apigee.com/docs/developer-services/content/what-api-product for more info on how to configure and use them.
