When it about converting business requirements to code, there are hundreds of best practices and frameworks available for developers to refer to. However, when it is about security for APIs, it is a well guarded secret on how does internet giants tackle their API security. What are there best practices. There are very few in this space who can ascertain to the credibility of their API and Identity assertion systems. This talk targets the uncertainty around the functioning and utility of tokens in an API security landscape. It addresses the basic needs of a token infrastructure and what would it take to build one. This talk aims to help developers embrace security and identity as part of their tool chain and remove the skepticism around building their own API security. The developers should be able to use this discussion as a launchpad for building their own API authentication systems. This is a unique talk as many companies closely guard the secret of how their token infrastructure functions.