@Rohit_Tomar , Its all about the how you want to implement and who is going to own the responsibility of validating the token.
please check the existing article
As a provider keep the things simple . Register a client and provide the below details to the client to generate the tokens. if you do not want them to generate the token by them self then create on behalf of the client and just share the Generated Access token to invoke API)
- Client_ID - Get it from the application which you created in API Gateway
- Client_Screts - Get it from the application which you created in API Gateway
- Authorization URL - /invoke/pub.apigateway.oauth2/authorize
- getAccess token URL /invoke/pub.apigateway.oauth2/getAccessToken
- refreshtoken URL - /invoke/pub.oauth/refreshAccessToken