diff --git a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/controllers/api/ApiCatalogController.java b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/controllers/api/ApiCatalogController.java
index 0779c3ea60..96ef478599 100644
--- a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/controllers/api/ApiCatalogController.java
+++ b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/controllers/api/ApiCatalogController.java
@@ -26,6 +26,7 @@
 import org.springframework.web.bind.annotation.RestController;
 import org.zowe.apiml.apicatalog.exceptions.ContainerStatusRetrievalThrowable;
 import org.zowe.apiml.apicatalog.model.APIContainer;
+import org.zowe.apiml.apicatalog.security.OidcUtils;
 import org.zowe.apiml.apicatalog.services.cached.CachedApiDocService;
 import org.zowe.apiml.apicatalog.services.cached.CachedProductFamilyService;
 import org.zowe.apiml.message.log.ApimlLogger;
@@ -34,6 +35,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.StreamSupport;
 
 /**
@@ -51,6 +53,8 @@ public class ApiCatalogController {
     @InjectApimlLogger
     private final ApimlLogger apimlLog = ApimlLogger.empty();
 
+    private AtomicReference<List<String>> oidcProviderCache = new AtomicReference<>();
+
     /**
      * Create the controller and autowire in the repository services
      *
@@ -64,6 +68,15 @@ public ApiCatalogController(CachedProductFamilyService cachedProductFamilyServic
         this.cachedApiDocService = cachedApiDocService;
     }
 
+    @GetMapping(value = "/oidc/provider", produces = MediaType.APPLICATION_JSON_VALUE)
+    public ResponseEntity<List<String>> getOidcProvider() {
+        if (oidcProviderCache.get() == null) {
+            oidcProviderCache.set(OidcUtils.getOidcProvider());
+        }
+
+        return new ResponseEntity<>(oidcProviderCache.get(), oidcProviderCache.get().isEmpty() ? HttpStatus.NO_CONTENT : HttpStatus.OK);
+    }
+
 
     /**
      * Get all containers
diff --git a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/OidcUtils.java b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/OidcUtils.java
new file mode 100644
index 0000000000..3c34fbf496
--- /dev/null
+++ b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/OidcUtils.java
@@ -0,0 +1,35 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.apicatalog.security;
+
+import lombok.experimental.UtilityClass;
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.List;
+
+@UtilityClass
+public class OidcUtils {
+
+    private String PREFIX = "ZWE_components_gateway_spring_security_oauth2_client_";
+
+    public List<String> getOidcProvider() {
+        return System.getenv().keySet().stream()
+            .filter(key -> StringUtils.startsWith(key, PREFIX))
+            .map(key -> key.substring(PREFIX.length()))
+            .map(key -> key.split("_"))
+            .filter(parts -> parts.length > 2)
+            .map(parts -> parts[1])
+            .distinct()
+            .sorted()
+            .toList();
+    }
+
+}
diff --git a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java
index 581bad4fb9..08b20773f3 100644
--- a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java
+++ b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java
@@ -46,6 +46,7 @@
 import org.zowe.apiml.security.common.content.BasicContentFilter;
 import org.zowe.apiml.security.common.content.BearerContentFilter;
 import org.zowe.apiml.security.common.content.CookieContentFilter;
+import org.zowe.apiml.security.common.content.OidcContentFilter;
 import org.zowe.apiml.security.common.filter.CategorizeCertsFilter;
 import org.zowe.apiml.security.common.login.LoginFilter;
 import org.zowe.apiml.security.common.login.ShouldBeAlreadyAuthenticatedFilter;
@@ -151,7 +152,8 @@ public WebSecurityCustomizer webSecurityCustomizer() {
                 "/favicon.ico",
                 "/v3/api-docs",
                 "/index.html",
-                "/application/info"
+                "/application/info",
+                "/oidc/provider"
             };
             return web -> web.ignoring().requestMatchers(noSecurityAntMatchers);
         }
@@ -232,7 +234,8 @@ public void configure(HttpSecurity http) throws Exception {
                 .addFilterBefore(loginFilter(authConfigurationProperties.getServiceLoginEndpoint(), authenticationManager), ShouldBeAlreadyAuthenticatedFilter.class)
                 .addFilterBefore(basicFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class)
                 .addFilterAfter(cookieFilter(authenticationManager), BasicContentFilter.class)
-                .addFilterAfter(bearerContentFilter(authenticationManager), CookieContentFilter.class);
+                .addFilterAfter(bearerContentFilter(authenticationManager), CookieContentFilter.class)
+                .addFilterAfter(oidcFilter(authenticationManager), BearerContentFilter.class);
         }
 
         private LoginFilter loginFilter(String loginEndpoint, AuthenticationManager authenticationManager) {
@@ -278,6 +281,18 @@ private BearerContentFilter bearerContentFilter(AuthenticationManager authentica
                 handlerInitializer.getResourceAccessExceptionHandler()
             );
         }
+
+        /**
+         * Secures content with a OIDC token
+         */
+        private OidcContentFilter oidcFilter(AuthenticationManager authenticationManager) {
+            return new OidcContentFilter(
+                authenticationManager,
+                handlerInitializer.getAuthenticationFailureHandler(),
+                handlerInitializer.getResourceAccessExceptionHandler()
+            );
+        }
+
     }
 
     @Bean
diff --git a/api-catalog-services/src/main/resources/application.yml b/api-catalog-services/src/main/resources/application.yml
index 870fcfbda6..c9674a62e2 100644
--- a/api-catalog-services/src/main/resources/application.yml
+++ b/api-catalog-services/src/main/resources/application.yml
@@ -172,6 +172,7 @@ eureka:
 
                 authentication:
                     sso: true
+                    scheme: zoweJwt
     client:
         healthcheck:
             enabled: true
diff --git a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/controllers/api/ApiCatalogControllerTests.java b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/controllers/api/ApiCatalogControllerTests.java
index d0499d0b70..0784640e21 100644
--- a/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/controllers/api/ApiCatalogControllerTests.java
+++ b/api-catalog-services/src/test/java/org/zowe/apiml/apicatalog/controllers/api/ApiCatalogControllerTests.java
@@ -13,10 +13,7 @@
 import com.netflix.appinfo.InstanceInfo;
 import com.netflix.discovery.shared.Application;
 import io.restassured.module.mockmvc.RestAssuredMockMvc;
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.*;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.zowe.apiml.apicatalog.exceptions.ContainerStatusRetrievalThrowable;
@@ -26,15 +23,15 @@
 import org.zowe.apiml.apicatalog.services.cached.CachedProductFamilyService;
 import org.zowe.apiml.apicatalog.services.cached.CachedServicesService;
 
+import java.lang.reflect.Field;
 import java.util.*;
 
+import static io.restassured.module.mockmvc.RestAssuredMockMvc.standaloneSetup;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.not;
-import static org.hamcrest.Matchers.nullValue;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static io.restassured.module.mockmvc.RestAssuredMockMvc.standaloneSetup;
 
 class ApiCatalogControllerTests {
     private final String pathToContainers = "/containers";
@@ -142,9 +139,9 @@ void thenPopulateApiDocForServices() throws ContainerStatusRetrievalThrowable {
 
                 containers.getBody().forEach(apiContainer ->
                     apiContainer.getServices().forEach(apiService -> {
-                        Assertions.assertEquals(apiService.getServiceId(), apiService.getApiDoc());
-                        Assertions.assertEquals(apiVersions, apiService.getApiVersions());
-                        Assertions.assertEquals(defaultApiVersion, apiService.getDefaultApiVersion());
+                        assertEquals(apiService.getServiceId(), apiService.getApiDoc());
+                        assertEquals(apiVersions, apiService.getApiVersions());
+                        assertEquals(defaultApiVersion, apiService.getDefaultApiVersion());
                     }));
             }
 
@@ -158,8 +155,8 @@ void thenPopulateApiDocForServicesExceptOneWhichFails() throws ContainerStatusRe
                 containers.getBody().forEach(apiContainer ->
                     apiContainer.getServices().forEach(apiService -> {
                         if (apiService.getServiceId().equals("service1")) {
-                            Assertions.assertEquals(apiService.getServiceId(), apiService.getApiDoc());
-                            Assertions.assertEquals(apiService.getApiVersions(), apiVersions);
+                            assertEquals(apiService.getServiceId(), apiService.getApiDoc());
+                            assertEquals(apiService.getApiVersions(), apiVersions);
                         }
                         if (apiService.getServiceId().equals("service2")) {
                             Assertions.assertNull(apiService.getApiDoc());
@@ -177,11 +174,11 @@ void thenPopulateApiVersionsForServicesExceptOneWhichFails() throws ContainerSta
                 containers.getBody().forEach(apiContainer ->
                     apiContainer.getServices().forEach(apiService -> {
                         if (apiService.getServiceId().equals("service1")) {
-                            Assertions.assertEquals(apiService.getServiceId(), apiService.getApiDoc());
-                            Assertions.assertEquals(apiService.getApiVersions(), apiVersions);
+                            assertEquals(apiService.getServiceId(), apiService.getApiDoc());
+                            assertEquals(apiService.getApiVersions(), apiVersions);
                         }
                         if (apiService.getServiceId().equals("service2")) {
-                            Assertions.assertEquals(apiService.getServiceId(), apiService.getApiDoc());
+                            assertEquals(apiService.getServiceId(), apiService.getApiDoc());
                             Assertions.assertNull(apiService.getApiVersions());
                         }
                     }));
@@ -238,4 +235,52 @@ private InstanceInfo getStandardInstance(String serviceId, InstanceInfo.Instance
             null, null, null, null, null, null, null, 0, null, "hostname", status, null, null, null, null, null,
             null, null, null, null);
     }
+
+    @Nested
+    class OidcProviders {
+
+        private String[] env = {
+            "ZWE_components_gateway_spring_security_oauth2_client_provider_oidc1_authorizationUri",
+            "ZWE_components_gateway_spring_security_oauth2_client_registration_oidc2_clientId",
+            "ZWE_components_gateway_spring_security_oauth2_client_provider_oidc1_tokenUri"
+        };
+
+        Map<String, String> getEnvMap() {
+            try {
+                Class<?> envVarClass = System.getenv().getClass();
+                Field mField = envVarClass.getDeclaredField("m");
+                mField.setAccessible(true);
+                return (Map<String, String>) mField.get(System.getenv());
+            } catch (NoSuchFieldException | IllegalAccessException e) {
+                fail(e);
+                return null;
+            }
+        }
+
+        @AfterEach
+        void tearDown() {
+            Arrays.stream(env).forEach(k -> getEnvMap().remove(k));
+        }
+
+        @Test
+        void givenSystemEnv_whenInvokeOidcProviders_thenReturnTheList() {
+            Arrays.stream(env).forEach(k -> getEnvMap().put(k, "anyValue"));
+            List<String> oidcProviders = RestAssuredMockMvc.given()
+                .when().get("/oidc/provider")
+                .getBody().jsonPath().getList(".");
+            assertEquals(2, oidcProviders.size());
+            assertTrue(oidcProviders.contains("oidc1"));
+            assertTrue(oidcProviders.contains("oidc2"));
+        }
+
+        @Test
+        void givenNoSystemEnv_whenInvokeOidcProviders_thenReturnAnEmptyList() {
+            List<String> oidcProviders = RestAssuredMockMvc.given()
+                .when().get("/oidc/provider")
+                .getBody().jsonPath().getList(".");
+            assertEquals(0, oidcProviders.size());
+        }
+
+    }
+
 }
diff --git a/api-catalog-ui/frontend/src/components/Login/Login.jsx b/api-catalog-ui/frontend/src/components/Login/Login.jsx
index 8d1df9d59e..fd545781b0 100644
--- a/api-catalog-ui/frontend/src/components/Login/Login.jsx
+++ b/api-catalog-ui/frontend/src/components/Login/Login.jsx
@@ -31,6 +31,7 @@ import WarningIcon from '@material-ui/icons/Warning';
 import Spinner from '../Spinner/Spinner';
 import './Login.css';
 import Footer from '../Footer/Footer';
+import getBaseUrl from "../../helpers/urls";
 
 function Login(props) {
     const [username, setUsername] = useState('');
@@ -42,6 +43,9 @@ function Login(props) {
     const [warning, setWarning] = useState(false);
     const [submitted, setSubmitted] = useState(false);
 
+    const [oidcProvidersLoadingStarted, setOidcProviderLoadingStarted] = useState(false);
+    const [oidcProviders, setOidcProviders] = useState([]);
+
     const { returnToLogin, login, authentication, isFetching, validateInput } = props;
     const enterNewPassMsg = 'Enter a new password for account';
     const invalidPassMsg = 'The specified username or password is invalid.';
@@ -122,6 +126,21 @@ function Login(props) {
         setSubmitted(true);
     }
 
+    function loadOidcProviders() {
+        if (!oidcProvidersLoadingStarted) {
+            setOidcProviderLoadingStarted(true);
+            fetch(`${getBaseUrl()}/oidc/provider`).then(resp =>
+                resp.json().then(json => {
+                    console.log('json')
+                    setOidcProviders(json)
+                    return json
+                })
+            ).catch(() => setOidcProviderLoadingStarted(false))
+        }
+    }
+
+    loadOidcProviders();
+
     let errorData = { messageText: null, expired: false, invalidNewPassword: true, invalidCredentials: false };
     if (
         authentication !== undefined &&
@@ -299,6 +318,17 @@ function Login(props) {
                                     )}
                                 </FormControl>
                                 <div className="login-btns" id="loginButton">
+                                    {
+                                        oidcProviders.map(oidcProvider =>
+                                            <Button
+                                                variant="contained"
+                                                style={{ marginRight: '10px' }}
+                                                onClick={() => window.location = `/gateway/oauth2/authorization/${oidcProvider}?returnUrl=${encodeURIComponent(window.location.href.split('#')[0])}`}
+                                            >
+                                                Login with {oidcProvider}
+                                            </Button>)
+                                    }
+
                                     <Button
                                         variant="contained"
                                         color="primary"
diff --git a/api-catalog-ui/frontend/src/components/Login/Login.test.jsx b/api-catalog-ui/frontend/src/components/Login/Login.test.jsx
index 3f08d7ed01..7add903f96 100644
--- a/api-catalog-ui/frontend/src/components/Login/Login.test.jsx
+++ b/api-catalog-ui/frontend/src/components/Login/Login.test.jsx
@@ -14,6 +14,20 @@ import '@testing-library/jest-dom';
 import Login from './Login';
 
 describe('>>> Login page component tests', () => {
+
+    beforeEach(() => {
+        global.fetch = jest.fn().mockImplementation(() =>
+            Promise.resolve({
+                ok: true,
+                json: () => Promise.resolve([])
+            })
+        );
+    });
+
+    afterEach(() => {
+        global.fetch.mockRestore();
+    });
+
     it('should display password update form', () => {
         render(
             <Login
diff --git a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java
index f3bff3e7cf..94e7a93876 100644
--- a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java
+++ b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AuthConfigurationProperties.java
@@ -39,6 +39,8 @@ public class AuthConfigurationProperties {
     private String gatewayQueryEndpoint = "/gateway/api/v1/auth/query";
     private String gatewayTicketEndpoint = "/gateway/api/v1/auth/ticket";
 
+    private String gatewayOidcValidateEndpoint = "/gateway/api/v1/auth/oidc-token/validate";
+
     private String zaasLoginEndpoint = "/zaas/api/v1/auth/login";
     private String zaasLogoutEndpoint = "/zaas/api/v1/auth/logout";
     private String zaasQueryEndpoint = "/zaas/api/v1/auth/query";
diff --git a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/BearerContentFilter.java b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/BearerContentFilter.java
index 715ac76666..f62da29664 100644
--- a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/BearerContentFilter.java
+++ b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/BearerContentFilter.java
@@ -53,7 +53,7 @@ protected Optional<AbstractAuthenticationToken> extractContent(HttpServletReques
         ).map(
             header -> {
                 header = header.replaceFirst(ApimlConstants.BEARER_AUTHENTICATION_PREFIX, "").trim();
-                return new TokenAuthentication(header);
+                return new TokenAuthentication(header, TokenAuthentication.Type.JWT);
             }
         );
     }
diff --git a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/CookieContentFilter.java b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/CookieContentFilter.java
index 33078d23b2..fce9a0af05 100644
--- a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/CookieContentFilter.java
+++ b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/CookieContentFilter.java
@@ -61,6 +61,6 @@ public Optional<AbstractAuthenticationToken> extractContent(HttpServletRequest r
             .filter(cookie -> cookie.getName().equals(authConfigurationProperties.getCookieProperties().getCookieName()))
             .filter(cookie -> !cookie.getValue().isEmpty())
             .findFirst()
-            .map(cookie -> new TokenAuthentication(cookie.getValue()));
+            .map(cookie -> new TokenAuthentication(cookie.getValue(), TokenAuthentication.Type.JWT));
     }
 }
diff --git a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/OidcContentFilter.java b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/OidcContentFilter.java
new file mode 100644
index 0000000000..964d641bf6
--- /dev/null
+++ b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/content/OidcContentFilter.java
@@ -0,0 +1,37 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.security.common.content;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.zowe.apiml.security.common.error.ResourceAccessExceptionHandler;
+import org.zowe.apiml.security.common.handler.FailedAuthenticationHandler;
+import org.zowe.apiml.security.common.token.TokenAuthentication;
+
+import java.util.Optional;
+
+import static org.zowe.apiml.constants.ApimlConstants.HEADER_OIDC_TOKEN;
+import static org.zowe.apiml.security.common.token.TokenAuthentication.Type.OIDC;
+
+public class OidcContentFilter extends AbstractSecureContentFilter {
+
+    public OidcContentFilter(AuthenticationManager authenticationManager, FailedAuthenticationHandler authenticationFailureHandler, ResourceAccessExceptionHandler resourceAccessExceptionHandler) {
+        super(authenticationManager, authenticationFailureHandler, resourceAccessExceptionHandler, new String[0]);
+    }
+
+    @Override
+    protected Optional<AbstractAuthenticationToken> extractContent(HttpServletRequest request) {
+        return Optional.ofNullable(request.getHeader(HEADER_OIDC_TOKEN))
+            .map(token -> new TokenAuthentication(token, OIDC));
+    }
+
+}
diff --git a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/TokenAuthentication.java b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/TokenAuthentication.java
index b726b39c58..663854cf5a 100644
--- a/apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/TokenAuthentication.java
+++ b/apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/TokenAuthentication.java
@@ -11,6 +11,7 @@
 package org.zowe.apiml.security.common.token;
 
 import lombok.EqualsAndHashCode;
+import lombok.Getter;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.zowe.apiml.security.common.login.LoginFilter;
 
@@ -28,17 +29,26 @@ public class TokenAuthentication extends AbstractAuthenticationToken {
 
     private final String username;
     private final String token;
+    @Getter
+    private Type type;
 
     public TokenAuthentication(String token) {
-        super(Collections.emptyList());
-        this.username = null;
-        this.token = token;
+        this(token, (Type) null);
+    }
+
+    public TokenAuthentication(String token, Type type) {
+        this(null, token, type);
     }
 
     public TokenAuthentication(String username, String token) {
+        this(username, token, (Type) null);
+    }
+
+    public TokenAuthentication(String username, String token, Type type) {
         super(Collections.emptyList());
         this.username = username;
         this.token = token;
+        this.type = type;
     }
 
     /**
@@ -63,15 +73,21 @@ public String getPrincipal() {
      * @param token Token, which authenticate the user
      * @return TokenAuthentication marked as authenticated with username, token
      */
-    public static TokenAuthentication createAuthenticated(String username, String token) {
-        final TokenAuthentication out = new TokenAuthentication(username, token);
+    public static TokenAuthentication createAuthenticated(String username, String token, Type type) {
+        final TokenAuthentication out = new TokenAuthentication(username, token, type);
         out.setAuthenticated(true);
         return out;
     }
 
+    @SuppressWarnings("squid:S3655")
     public static TokenAuthentication createAuthenticatedFromHeader(String token, String authHeader) {
         var loginRequest = LoginFilter.getCredentialFromAuthorizationHeader(Optional.of(authHeader));
-        return createAuthenticated(loginRequest.get().getUsername(), token);
+        return createAuthenticated(loginRequest.get().getUsername(), token, Type.JWT);
+    }
+
+    public enum Type {
+        JWT,
+        OIDC
     }
 
 }
diff --git a/apiml-security-common/src/test/java/org/zowe/apiml/security/common/content/BearerContentFilterTest.java b/apiml-security-common/src/test/java/org/zowe/apiml/security/common/content/BearerContentFilterTest.java
index 658bcdd1f1..4792ef3b9c 100644
--- a/apiml-security-common/src/test/java/org/zowe/apiml/security/common/content/BearerContentFilterTest.java
+++ b/apiml-security-common/src/test/java/org/zowe/apiml/security/common/content/BearerContentFilterTest.java
@@ -59,7 +59,7 @@ class WhenAuthenticate {
             @Test
             void thenSuccess() throws ServletException, IOException {
                 String token = "token";
-                TokenAuthentication tokenAuthentication = new TokenAuthentication(token);
+                TokenAuthentication tokenAuthentication = new TokenAuthentication(token, TokenAuthentication.Type.JWT);
                 request.addHeader(HttpHeaders.AUTHORIZATION, BEARER_AUTH);
 
                 bearerContentFilter.doFilter(request, response, filterChain);
@@ -78,7 +78,7 @@ void thenAuthenticationFails() throws ServletException, IOException {
                 String token = "token";
                 RuntimeException exception = new RuntimeException("No Gateway");
 
-                TokenAuthentication tokenAuthentication = new TokenAuthentication(token);
+                TokenAuthentication tokenAuthentication = new TokenAuthentication(token, TokenAuthentication.Type.JWT);
                 request.addHeader(HttpHeaders.AUTHORIZATION, BEARER_AUTH);
                 when(authenticationManager.authenticate(tokenAuthentication)).thenThrow(exception);
 
@@ -122,7 +122,7 @@ void thenAuthenticationFails() throws ServletException, IOException {
                 String token = "token";
                 AuthenticationException exception = new BadCredentialsException("Token not valid");
 
-                TokenAuthentication tokenAuthentication = new TokenAuthentication(token);
+                TokenAuthentication tokenAuthentication = new TokenAuthentication(token, TokenAuthentication.Type.JWT);
                 request.addHeader(HttpHeaders.AUTHORIZATION, BEARER_AUTH);
                 when(authenticationManager.authenticate(tokenAuthentication)).thenThrow(exception);
 
@@ -163,7 +163,7 @@ void thenExtractContent() {
             request.addHeader(HttpHeaders.AUTHORIZATION, BEARER_AUTH);
             Optional<AbstractAuthenticationToken> content = bearerContentFilter.extractContent(request);
 
-            TokenAuthentication actualToken = new TokenAuthentication("token");
+            TokenAuthentication actualToken = new TokenAuthentication("token", TokenAuthentication.Type.JWT);
 
             assertTrue(content.isPresent());
             assertEquals(actualToken, content.get());
diff --git a/apiml-security-common/src/test/java/org/zowe/apiml/security/common/content/CookieContentFilterTest.java b/apiml-security-common/src/test/java/org/zowe/apiml/security/common/content/CookieContentFilterTest.java
index 7489738d69..260e0e6c17 100644
--- a/apiml-security-common/src/test/java/org/zowe/apiml/security/common/content/CookieContentFilterTest.java
+++ b/apiml-security-common/src/test/java/org/zowe/apiml/security/common/content/CookieContentFilterTest.java
@@ -61,7 +61,7 @@ void setUp() {
     void authenticationWithValidTokenInsideCookie() throws ServletException, IOException {
         String token = "token";
 
-        TokenAuthentication tokenAuthentication = new TokenAuthentication(token);
+        TokenAuthentication tokenAuthentication = new TokenAuthentication(token, TokenAuthentication.Type.JWT);
         Cookie cookie = new Cookie(authConfigurationProperties.getCookieProperties().getCookieName(), token);
         request.setCookies(cookie);
 
@@ -97,7 +97,7 @@ void shouldNotAuthenticateWithBadCredentials() throws ServletException, IOExcept
         String token = "token";
         AuthenticationException exception = new BadCredentialsException("Token not valid");
 
-        TokenAuthentication tokenAuthentication = new TokenAuthentication(token);
+        TokenAuthentication tokenAuthentication = new TokenAuthentication(token, TokenAuthentication.Type.JWT);
         Cookie cookie = new Cookie(authConfigurationProperties.getCookieProperties().getCookieName(), token);
         request.setCookies(cookie);
 
@@ -116,7 +116,7 @@ void shouldNotAuthenticateWithNoGateway() throws ServletException, IOException {
         String token = "token";
         RuntimeException exception = new RuntimeException("No Gateway");
 
-        TokenAuthentication tokenAuthentication = new TokenAuthentication(token);
+        TokenAuthentication tokenAuthentication = new TokenAuthentication(token, TokenAuthentication.Type.JWT);
         Cookie cookie = new Cookie(authConfigurationProperties.getCookieProperties().getCookieName(), token);
         request.setCookies(cookie);
 
@@ -154,7 +154,7 @@ void shouldExtractContent() {
 
         Optional<AbstractAuthenticationToken> content = cookieContentFilter.extractContent(request);
 
-        TokenAuthentication actualToken = new TokenAuthentication(cookie.getValue());
+        TokenAuthentication actualToken = new TokenAuthentication(cookie.getValue(), TokenAuthentication.Type.JWT);
 
         assertTrue(content.isPresent());
         assertEquals(actualToken, content.get());
diff --git a/apiml-security-common/src/test/java/org/zowe/apiml/security/common/token/TokenAuthenticationTest.java b/apiml-security-common/src/test/java/org/zowe/apiml/security/common/token/TokenAuthenticationTest.java
index d4449ba813..53472146ab 100644
--- a/apiml-security-common/src/test/java/org/zowe/apiml/security/common/token/TokenAuthenticationTest.java
+++ b/apiml-security-common/src/test/java/org/zowe/apiml/security/common/token/TokenAuthenticationTest.java
@@ -14,13 +14,16 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.zowe.apiml.security.common.token.TokenAuthentication.Type.JWT;
+
 class TokenAuthenticationTest {
 
     @Test
     void testCreateAuthenticated() {
-        TokenAuthentication ta = TokenAuthentication.createAuthenticated("user", "token");
+        TokenAuthentication ta = TokenAuthentication.createAuthenticated("user", "token", JWT);
         assertEquals("user", ta.getPrincipal());
         assertEquals("token", ta.getCredentials());
+        assertEquals(JWT, ta.getType());
         assertTrue(ta.isAuthenticated());
     }
 
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/security/TokenAuthFilter.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/security/TokenAuthFilter.java
index ce45f458a4..e56d47c697 100644
--- a/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/security/TokenAuthFilter.java
+++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/filters/security/TokenAuthFilter.java
@@ -21,6 +21,7 @@
 import org.springframework.web.server.WebFilterChain;
 import org.zowe.apiml.gateway.service.TokenProvider;
 import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
+import org.zowe.apiml.security.common.token.TokenAuthentication;
 import org.zowe.apiml.util.CookieUtil;
 import reactor.core.publisher.Mono;
 
@@ -43,7 +44,7 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
             .validateToken(jwt)
             .flatMap(resp -> {
                 if (StringUtils.isNotBlank(resp.getUserId())) {
-                    Authentication authentication = createAuthenticated(resp.getUserId(), jwt);
+                    Authentication authentication = createAuthenticated(resp.getUserId(), jwt, TokenAuthentication.Type.JWT);
                     return chain.filter(exchange)
                         .contextWrite(context -> ReactiveSecurityContextHolder.withAuthentication(authentication));
                 }
diff --git a/security-service-client-spring/build.gradle b/security-service-client-spring/build.gradle
index dba84ed78a..baf1cdea55 100644
--- a/security-service-client-spring/build.gradle
+++ b/security-service-client-spring/build.gradle
@@ -10,5 +10,6 @@ dependencies {
     testImplementation(testFixtures(project(":apiml-common")))
 
     compileOnly libs.lombok
+    testCompileOnly libs.lombok
     annotationProcessor libs.lombok
 }
diff --git a/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/login/GatewayLoginProvider.java b/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/login/GatewayLoginProvider.java
index 66f450e26e..797ed38e88 100644
--- a/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/login/GatewayLoginProvider.java
+++ b/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/login/GatewayLoginProvider.java
@@ -61,7 +61,7 @@ public Authentication authenticate(Authentication authentication) {
                 throw new BadCredentialsException("Invalid Credentials");
             }
 
-            TokenAuthentication tokenAuthentication = new TokenAuthentication(username, token.get());
+            TokenAuthentication tokenAuthentication = new TokenAuthentication(username, token.get(), TokenAuthentication.Type.JWT);
             tokenAuthentication.setAuthenticated(true);
 
             return tokenAuthentication;
diff --git a/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/service/GatewaySecurityService.java b/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/service/GatewaySecurityService.java
index 94387046aa..2971d3fbf3 100644
--- a/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/service/GatewaySecurityService.java
+++ b/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/service/GatewaySecurityService.java
@@ -11,7 +11,10 @@
 package org.zowe.apiml.security.client.service;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.AllArgsConstructor;
+import lombok.Data;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.hc.client5.http.classic.methods.HttpGet;
 import org.apache.hc.client5.http.classic.methods.HttpPost;
@@ -40,6 +43,7 @@
  * provides facility for performing login and validating JWT token
  */
 @Service
+@Slf4j
 @RequiredArgsConstructor
 public class GatewaySecurityService {
     private static final String MESSAGE_KEY_STRING = "messageKey\":\"";
@@ -116,9 +120,9 @@ public QueryResponse query(String token) {
                     responseBody = EntityUtils.toString(responseEntity, StandardCharsets.UTF_8);
                 }
                 if (!HttpStatus.valueOf(response.getCode()).is2xxSuccessful()) {
+                    log.debug("Cannot access Gateway service to verify JWT token. Uri '{}' returned: {}", uri, response);
                     ErrorType errorType = getErrorType(responseBody);
-                    responseHandler.handleErrorType(response, errorType,
-                        "Cannot access Gateway service. Uri '{}' returned: {}", uri);
+                    responseHandler.handleErrorType(response, errorType, uri);
                     return null;
                 }
                 return objectMapper.readValue(responseBody, QueryResponse.class);
@@ -129,6 +133,35 @@ public QueryResponse query(String token) {
         return null;
     }
 
+    public QueryResponse verifyOidc(String token) {
+        ServiceAddress gatewayConfigProperties = gatewayClient.getGatewayConfigProperties();
+        String uri = String.format("%s://%s%s", gatewayConfigProperties.getScheme(),
+            gatewayConfigProperties.getHostname(), authConfigurationProperties.getGatewayOidcValidateEndpoint());
+
+        try {
+            HttpPost post = new HttpPost(uri);
+            post.setEntity(new StringEntity(objectMapper.writeValueAsString(new TokenRequest(token)), ContentType.APPLICATION_JSON));
+
+            return closeableHttpClient.execute(post, response -> {
+                final HttpEntity responseEntity = response.getEntity();
+                String responseBody = null;
+                if (responseEntity != null) {
+                    responseBody = EntityUtils.toString(responseEntity, StandardCharsets.UTF_8);
+                }
+                if (!HttpStatus.valueOf(response.getCode()).is2xxSuccessful()) {
+                    log.debug("Cannot access Gateway service to verify OIDC token. Uri '{}' returned: {}", uri, response);
+                    ErrorType errorType = getErrorType(responseBody);
+                    responseHandler.handleErrorType(response, errorType, uri);
+                    return null;
+                }
+                return new QueryResponse();
+            });
+        } catch (IOException e) {
+            responseHandler.handleException(e);
+        }
+        return null;
+    }
+
     private ErrorType getErrorType(String detailMessage) {
         if (detailMessage == null) {
             return ErrorType.AUTH_GENERAL;
@@ -161,4 +194,11 @@ private Optional<String> extractToken(String cookies) {
             return Optional.of(cookie.replace(cookieName + "=", ""));
         }
     }
+
+    @Data
+    @AllArgsConstructor
+    static class TokenRequest {
+        String token;
+    }
+
 }
diff --git a/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/token/GatewayTokenProvider.java b/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/token/GatewayTokenProvider.java
index 572a65b5e2..9915345098 100644
--- a/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/token/GatewayTokenProvider.java
+++ b/security-service-client-spring/src/main/java/org/zowe/apiml/security/client/token/GatewayTokenProvider.java
@@ -35,9 +35,14 @@ public class GatewayTokenProvider implements AuthenticationProvider {
     @Override
     public Authentication authenticate(Authentication authentication) {
         TokenAuthentication tokenAuthentication = (TokenAuthentication) authentication;
-        QueryResponse queryResponse = gatewaySecurityService.query(tokenAuthentication.getCredentials());
+        QueryResponse queryResponse;
+        if (tokenAuthentication.getType() == TokenAuthentication.Type.OIDC) {
+            queryResponse = gatewaySecurityService.verifyOidc(tokenAuthentication.getCredentials());
+        } else {
+            queryResponse = gatewaySecurityService.query(tokenAuthentication.getCredentials());
+        }
 
-        TokenAuthentication validTokenAuthentication = new TokenAuthentication(queryResponse.getUserId(), tokenAuthentication.getCredentials());
+        TokenAuthentication validTokenAuthentication = new TokenAuthentication(queryResponse.getUserId(), tokenAuthentication.getCredentials(), tokenAuthentication.getType());
         validTokenAuthentication.setAuthenticated(true);
 
         return validTokenAuthentication;
diff --git a/security-service-client-spring/src/test/java/org/zowe/apiml/security/client/token/GatewayTokenProviderTest.java b/security-service-client-spring/src/test/java/org/zowe/apiml/security/client/token/GatewayTokenProviderTest.java
index f9bcf27c70..b09bd77047 100644
--- a/security-service-client-spring/src/test/java/org/zowe/apiml/security/client/token/GatewayTokenProviderTest.java
+++ b/security-service-client-spring/src/test/java/org/zowe/apiml/security/client/token/GatewayTokenProviderTest.java
@@ -10,49 +10,153 @@
 
 package org.zowe.apiml.security.client.token;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.classic.methods.HttpPost;
+import org.apache.hc.client5.http.classic.methods.HttpUriRequestBase;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.core5.http.ContentType;
+import org.apache.hc.core5.http.io.HttpClientResponseHandler;
+import org.apache.hc.core5.http.io.entity.AbstractHttpEntity;
+import org.apache.hc.core5.http.io.entity.StringEntity;
+import org.apache.hc.core5.http.message.BasicClassicHttpResponse;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.zowe.apiml.product.gateway.GatewayClient;
+import org.zowe.apiml.product.instance.ServiceAddress;
+import org.zowe.apiml.security.client.handler.RestResponseHandler;
 import org.zowe.apiml.security.client.service.GatewaySecurityService;
+import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
 import org.zowe.apiml.security.common.token.QueryResponse;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
-import org.junit.jupiter.api.Test;
-import org.springframework.security.core.Authentication;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.Date;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.*;
 
 class GatewayTokenProviderTest {
-    private static final String USER = "USER";
-    private static final String DOMAIN = "PASS";
-    private static final String VALID_TOKEN = "VALID_TOKEN";
 
-    private final GatewaySecurityService gatewaySecurityService = mock(GatewaySecurityService.class);
-    private final GatewayTokenProvider gatewayTokenProvider = new GatewayTokenProvider(gatewaySecurityService);
+    @Nested
+    class Authenticate {
 
-    @Test
-    void shouldAuthenticateValidToken() {
-        when(gatewaySecurityService.query(VALID_TOKEN)).thenReturn(new QueryResponse(DOMAIN, USER, new Date(), new Date(), "issuer", Collections.emptyList(), QueryResponse.Source.ZOWE));
-        TokenAuthentication tokenAuthentication = new TokenAuthentication(VALID_TOKEN);
+        private static final String USER = "USER";
+        private static final String DOMAIN = "PASS";
+        private static final String VALID_TOKEN = "VALID_TOKEN";
 
-        Authentication processedAuthentication = gatewayTokenProvider.authenticate(tokenAuthentication);
+        private final GatewaySecurityService gatewaySecurityService = mock(GatewaySecurityService.class);
+        private final GatewayTokenProvider gatewayTokenProvider = new GatewayTokenProvider(gatewaySecurityService);
 
-        assertTrue(processedAuthentication instanceof TokenAuthentication);
-        assertTrue(processedAuthentication.isAuthenticated());
-        assertEquals(VALID_TOKEN, processedAuthentication.getCredentials());
-        assertEquals(USER, processedAuthentication.getName());
-    }
+        @Test
+        void shouldAuthenticateValidToken() {
+            when(gatewaySecurityService.query(VALID_TOKEN)).thenReturn(new QueryResponse(DOMAIN, USER, new Date(), new Date(), "issuer", Collections.emptyList(), QueryResponse.Source.ZOWE));
+            TokenAuthentication tokenAuthentication = new TokenAuthentication(VALID_TOKEN);
+
+            Authentication processedAuthentication = gatewayTokenProvider.authenticate(tokenAuthentication);
+
+            assertTrue(processedAuthentication instanceof TokenAuthentication);
+            assertTrue(processedAuthentication.isAuthenticated());
+            assertEquals(VALID_TOKEN, processedAuthentication.getCredentials());
+            assertEquals(USER, processedAuthentication.getName());
+        }
+
+        @Test
+        void shouldSupportTokenAuthentication() {
+            assertTrue(gatewayTokenProvider.supports(TokenAuthentication.class));
+        }
+
+        @Test
+        void shouldNotSupportGenericAuthentication() {
+            assertFalse(gatewayTokenProvider.supports(Authentication.class));
+        }
 
-    @Test
-    void shouldSupportTokenAuthentication() {
-        assertTrue(gatewayTokenProvider.supports(TokenAuthentication.class));
     }
 
-    @Test
-    void shouldNotSupportGenericAuthentication() {
-        assertFalse(gatewayTokenProvider.supports(Authentication.class));
+    @Nested
+    class Tokens {
+
+        GatewayTokenProvider gatewayTokenProvider;
+        CloseableHttpClient closeableHttpClient = mock(CloseableHttpClient.class);
+
+        @BeforeEach
+        void setUp() throws IOException {
+            GatewayClient gatewayClient = new GatewayClient(ServiceAddress.builder().scheme("https").hostname("localhost").build());
+
+            GatewaySecurityService gatewaySecurityService = new GatewaySecurityService(
+                gatewayClient,
+                new AuthConfigurationProperties(),
+                closeableHttpClient,
+                new RestResponseHandler()
+            );
+
+            this.gatewayTokenProvider = new GatewayTokenProvider(gatewaySecurityService);
+
+            doAnswer(invocation -> {
+                HttpUriRequestBase request = invocation.getArgument(0);
+                HttpClientResponseHandler handler = invocation.getArgument(1);
+
+                String token = null;
+                AbstractHttpEntity entity = null;
+                if (request instanceof HttpGet get) {
+                    // query
+                    assertEquals("https://localhost/gateway/api/v1/auth/query", get.getUri().toString());
+                    String[] cookieParts = get.getHeader("cookie").getValue().split("=");
+                    assertEquals("apimlAuthenticationToken", cookieParts[0]);
+                    token = cookieParts[1];
+                    entity = new StringEntity(new ObjectMapper().writeValueAsString(new QueryResponse()), ContentType.APPLICATION_JSON);
+                } else if (request instanceof HttpPost post) {
+                    // oid validation
+                    assertEquals("https://localhost/gateway/api/v1/auth/oidc-token/validate", post.getUri().toString());
+                    token = new ObjectMapper().readTree(post.getEntity().getContent()).get("token").asText();
+                } else {
+                    fail("Unknown request");
+                }
+
+                var response = new BasicClassicHttpResponse("valid".equals(token) ? 200 : 401);
+                if (entity != null) {
+                    response.setEntity(entity);
+                }
+                return handler.handleResponse(response);
+            }).when(closeableHttpClient).execute(any(), (HttpClientResponseHandler<?>) any());
+        }
+
+        @Test
+        void givenValidOidcToken_whenAuthenticate_thenCallOidcEndpoint() {
+            var authenticate = gatewayTokenProvider.authenticate(new TokenAuthentication("valid", TokenAuthentication.Type.OIDC));
+            assertTrue(authenticate.isAuthenticated());
+        }
+
+        @ParameterizedTest
+        @CsvSource({
+            ",",
+            "JWT"
+        })
+        void givenValidJwtToken_whenAuthenticate_thenCallOidcEndpoint(TokenAuthentication.Type type) {
+            var authenticate = gatewayTokenProvider.authenticate(new TokenAuthentication("valid", type));
+            assertTrue(authenticate.isAuthenticated());
+        }
+
+        @Test
+        void givenInvalidOidcToken_whenAuthenticate_thenCallOidcEndpoint() {
+            assertThrows(AuthenticationException.class, () -> gatewayTokenProvider.authenticate(new TokenAuthentication("invalid", TokenAuthentication.Type.OIDC)));
+        }
+
+        @ParameterizedTest
+        @CsvSource({
+            ",",
+            "JWT"
+        })
+        void givenInvalidJwtToken_whenAuthenticate_thenCallOidcEndpoint(TokenAuthentication.Type type) {
+            assertThrows(AuthenticationException.class, () -> gatewayTokenProvider.authenticate(new TokenAuthentication("invalid", type)));
+        }
+
     }
+
 }
diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/login/dummy/DummyAuthenticationProvider.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/login/dummy/DummyAuthenticationProvider.java
index 317957b7e6..480c3b8fc3 100644
--- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/login/dummy/DummyAuthenticationProvider.java
+++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/login/dummy/DummyAuthenticationProvider.java
@@ -83,7 +83,7 @@ public Authentication authenticate(Authentication authentication) {
         String username = usernamePasswordAuthentication.getName();
         String token = authenticationService.createJwtToken(username, DUMMY_PROVIDER, null);
 
-        TokenAuthentication tokenAuthentication = new TokenAuthentication(username, token);
+        TokenAuthentication tokenAuthentication = new TokenAuthentication(username, token, TokenAuthentication.Type.JWT);
         tokenAuthentication.setAuthenticated(true);
         return tokenAuthentication;
     }
diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/login/x509/X509AuthenticationProvider.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/login/x509/X509AuthenticationProvider.java
index 85d23884d6..3c6afc5744 100644
--- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/login/x509/X509AuthenticationProvider.java
+++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/login/x509/X509AuthenticationProvider.java
@@ -66,7 +66,7 @@ public Authentication authenticate(Authentication authentication) {
             }
             log.debug("Successfully mapped user to certificate: {}", username);
             String jwtToken = tokenCreationService.createJwtTokenWithoutCredentials(username);
-            Authentication tokenAuthentication = new TokenAuthentication(username, jwtToken);
+            Authentication tokenAuthentication = new TokenAuthentication(username, jwtToken, TokenAuthentication.Type.JWT);
             tokenAuthentication.setAuthenticated(true);
             log.debug("Successfully authenticated user {} by X509 certificate.", username);
             return tokenAuthentication;
diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/query/QueryFilter.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/query/QueryFilter.java
index 7edd00a605..7f3b07bc24 100644
--- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/query/QueryFilter.java
+++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/query/QueryFilter.java
@@ -85,7 +85,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         String token = authenticationService.getJwtTokenFromRequest(request)
             .orElseThrow(() -> new TokenNotProvidedException("Authorization token not provided."));
 
-        Authentication result = this.getAuthenticationManager().authenticate(new TokenAuthentication(token));
+        Authentication result = this.getAuthenticationManager().authenticate(new TokenAuthentication(token, TokenAuthentication.Type.JWT));
         if (result.isAuthenticated()) {
             return result;
         } else {
diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/AuthenticationService.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/AuthenticationService.java
index e681b42b0f..bd0fdfcc10 100644
--- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/AuthenticationService.java
+++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/AuthenticationService.java
@@ -268,7 +268,7 @@ public TokenAuthentication validateJwtToken(String jwtToken) {
                 throw new TokenNotValidException("Unknown token type.");
         }
 
-        TokenAuthentication tokenAuthentication = new TokenAuthentication(queryResponse.getUserId(), jwtToken);
+        TokenAuthentication tokenAuthentication = new TokenAuthentication(queryResponse.getUserId(), jwtToken, TokenAuthentication.Type.JWT);
         // without a proxy cache aspect is not working, thus it is necessary get bean from application context
         final boolean authenticated = !meAsProxy.isInvalidated(jwtToken);
         tokenAuthentication.setAuthenticated(authenticated && isValid);
@@ -286,7 +286,7 @@ public TokenAuthentication validateJwtToken(String jwtToken) {
      */
     @CachePut(value = "validationJwtToken", key = "#jwtToken", condition = "#jwtToken != null")
     public TokenAuthentication createTokenAuthentication(String user, String jwtToken) {
-        final TokenAuthentication out = new TokenAuthentication(user, jwtToken);
+        final TokenAuthentication out = new TokenAuthentication(user, jwtToken, TokenAuthentication.Type.JWT);
         // without a proxy cache aspect is not working, thus it is necessary get bean from application context
         final boolean authenticated = !meAsProxy.isInvalidated(jwtToken);
         out.setAuthenticated(authenticated);
diff --git a/zaas-service/src/test/java/org/zowe/apiml/zaas/controllers/AuthControllerTest.java b/zaas-service/src/test/java/org/zowe/apiml/zaas/controllers/AuthControllerTest.java
index 632c9e2089..e8cba6b0cf 100644
--- a/zaas-service/src/test/java/org/zowe/apiml/zaas/controllers/AuthControllerTest.java
+++ b/zaas-service/src/test/java/org/zowe/apiml/zaas/controllers/AuthControllerTest.java
@@ -340,7 +340,7 @@ void thenInvalidateForScope(String url) throws Exception {
                 @Test
                 void thenInvalidateOwnTokens() throws Exception {
                     SecurityContext context = new SecurityContextImpl();
-                    context.setAuthentication(TokenAuthentication.createAuthenticated("user", "token"));
+                    context.setAuthentication(TokenAuthentication.createAuthenticated("user", "token", TokenAuthentication.Type.JWT));
                     SecurityContextHolder.setContext(context);
                     body = new JSONObject()
                         .put("timestamp", "1234");
diff --git a/zaas-service/src/test/java/org/zowe/apiml/zaas/security/login/zosmf/ZosmfAuthenticationProviderTest.java b/zaas-service/src/test/java/org/zowe/apiml/zaas/security/login/zosmf/ZosmfAuthenticationProviderTest.java
index a01cf0767b..a9b29d98d2 100644
--- a/zaas-service/src/test/java/org/zowe/apiml/zaas/security/login/zosmf/ZosmfAuthenticationProviderTest.java
+++ b/zaas-service/src/test/java/org/zowe/apiml/zaas/security/login/zosmf/ZosmfAuthenticationProviderTest.java
@@ -134,7 +134,7 @@ void setUp() {
         authConfigurationProperties.getZosmf().setJwtAutoconfiguration(JWT);
         zosmfInstance = createInstanceInfo(HOST, PORT);
 
-        lenient().doAnswer((Answer<TokenAuthentication>) invocation -> TokenAuthentication.createAuthenticated(invocation.getArgument(0), invocation.getArgument(1))).when(authenticationService).createTokenAuthentication(anyString(), anyString());
+        lenient().doAnswer((Answer<TokenAuthentication>) invocation -> TokenAuthentication.createAuthenticated(invocation.getArgument(0), invocation.getArgument(1), TokenAuthentication.Type.JWT)).when(authenticationService).createTokenAuthentication(anyString(), anyString());
         lenient().when(authenticationService.createJwtToken(anyString(), anyString(), anyString())).thenReturn("someJwtToken");
     }
 
diff --git a/zaas-service/src/test/java/org/zowe/apiml/zaas/security/query/QueryFilterTest.java b/zaas-service/src/test/java/org/zowe/apiml/zaas/security/query/QueryFilterTest.java
index 8f5a28473d..5dd1d08be3 100644
--- a/zaas-service/src/test/java/org/zowe/apiml/zaas/security/query/QueryFilterTest.java
+++ b/zaas-service/src/test/java/org/zowe/apiml/zaas/security/query/QueryFilterTest.java
@@ -75,9 +75,9 @@ void shouldCallAuthenticationManagerAuthenticate() {
         when(authenticationService.getJwtTokenFromRequest(any())).thenReturn(
             Optional.of(VALID_TOKEN)
         );
-        TokenAuthentication valid = new TokenAuthentication(VALID_TOKEN);
+        TokenAuthentication valid = new TokenAuthentication(VALID_TOKEN, TokenAuthentication.Type.JWT);
         valid.setAuthenticated(true);
-        when(authenticationManager.authenticate(new TokenAuthentication(VALID_TOKEN))).thenReturn(valid);
+        when(authenticationManager.authenticate(new TokenAuthentication(VALID_TOKEN, TokenAuthentication.Type.JWT))).thenReturn(valid);
 
         queryFilter.attemptAuthentication(httpServletRequest, httpServletResponse);
 
@@ -137,9 +137,9 @@ void givenInvalidToken_whenQueryIsCalled_thenThrowTokenNotValidException() {
             Optional.of(VALID_TOKEN)
         );
 
-        TokenAuthentication invalid = new TokenAuthentication(VALID_TOKEN);
+        TokenAuthentication invalid = new TokenAuthentication(VALID_TOKEN, TokenAuthentication.Type.JWT);
         invalid.setAuthenticated(false);
-        when(authenticationManager.authenticate(new TokenAuthentication(VALID_TOKEN))).thenReturn(invalid);
+        when(authenticationManager.authenticate(new TokenAuthentication(VALID_TOKEN, TokenAuthentication.Type.JWT))).thenReturn(invalid);
 
         assertThrows(TokenNotValidException.class, () -> {
             queryFilter.attemptAuthentication(httpServletRequest, httpServletResponse);
diff --git a/zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/schema/source/JwtAuthSourceServiceTest.java b/zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/schema/source/JwtAuthSourceServiceTest.java
index 9e51393fe6..70b93d9366 100644
--- a/zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/schema/source/JwtAuthSourceServiceTest.java
+++ b/zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/schema/source/JwtAuthSourceServiceTest.java
@@ -52,7 +52,7 @@ class JwtAuthSourceServiceTest {
     @BeforeEach
     public void setup() {
         jwtAuthSource = new JwtAuthSource("jwtToken");
-        tokenAuthentication = TokenAuthentication.createAuthenticated("user", token);
+        tokenAuthentication = TokenAuthentication.createAuthenticated("user", token, TokenAuthentication.Type.JWT);
         expectedParsedSource = new ParsedTokenAuthSource("user", new Date(111), new Date(222), Origin.ZOSMF);
     }