wso2 · RusJaI · Nov 20, 2024 · Nov 19, 2024
diff --git a/en/docs/design/api-security/oauth2/multiple-active-access-tokens.md b/en/docs/design/api-security/oauth2/multiple-active-access-tokens.md
@@ -0,0 +1,23 @@
+# Multiple Active Access Tokens
+
+WSO2 API Manager by default allows only one active access token to be in existence for the same Consumer Key, User and Scope combination at a given time. This behaviour can be modified to allow multiple access tokens as described in the following sections.
+
+## JWT
+
+When issuing `JWT` tokens before the expiry or revocation of the previous token, the default behaviour is to revoke the previous token and issue a new token. With the following configuration, it can be configured to issue a new token before expiry and without revoking the old token, allowing the existence of multiple active access tokens at the same time.
+
+```toml
+[oauth.jwt.renew_token_without_revoking_existing]
+enable = true
+```
+
+By default only the `client_credentials` grant type is allowed to generate multiple access tokens. This can be configured by the following configuration.
+
+```toml
+[oauth.jwt.renew_token_without_revoking_existing]
+enable = true
+allowed_grant_types = [“client_credentials”, “password”]
+```
+
+!!! note
+    If you are customizing the `allowed_grant_types` make sure to add or remove the default value `client_credentials` as per the requirement.
diff --git a/en/mkdocs.yml b/en/mkdocs.yml
@@ -190,6 +190,7 @@ nav:
                 - Token Persistence: design/api-security/oauth2/token-persistence.md
                 - Encrypting OAuth2 Tokens: design/api-security/oauth2/encrypting-oauth2-tokens.md
                 - Hashing OAuth Keys: design/api-security/oauth2/hashing-oauth-keys.md
+                - Multiple Active Access Tokens: design/api-security/oauth2/multiple-active-access-tokens.md
                 - Provisioning Out-of-Band OAuth Clients: design/api-security/oauth2/provisioning-out-of-band-oauth-clients.md
                 - Securing OAuth Token with HMAC Validation: design/api-security/oauth2/securing-oauth-token-with-hmac-validation.md
             - Threat Protection:
@@ -1128,6 +1129,7 @@ plugins:
               'learn/api-security/oauth2/token-persistence.md': 'https://apim.docs.wso2.com/en/4.2.0/design/api-security/oauth2/token-persistence/'
               'learn/api-security/oauth2/encrypting-oauth2-tokens.md': 'https://apim.docs.wso2.com/en/4.2.0/design/api-security/oauth2/encrypting-oauth2-tokens/'
               'learn/api-security/oauth2/hashing-oauth-keys.md': 'https://apim.docs.wso2.com/en/4.2.0/design/api-security/oauth2/hashing-oauth-keys/'
+              'learn/api-security/oauth2/multiple-active-access-tokens.md': 'https://apim.docs.wso2.com/en/4.2.0/design/api-security/oauth2/multiple-active-access-tokens/'
               'learn/api-security/oauth2/provisioning-out-of-band-oauth-clients.md': 'https://apim.docs.wso2.com/en/4.2.0/design/api-security/oauth2/provisioning-out-of-band-oauth-clients/'
               'learn/api-security/oauth2/securing-oauth-token-with-hmac-validation.md': 'https://apim.docs.wso2.com/en/4.2.0/design/api-security/oauth2/securing-oauth-token-with-hmac-validation/'
               'learn/api-security/threat-protection/bot-detection.md': 'https://apim.docs.wso2.com/en/4.2.0/design/api-security/threat-protection/bot-detection/'