ok then, if you need ECC at the app layer, then:

• you can use encrypted JWT. Apigee has a VerifyJWT policy that can decrypt a JWT that has been encrypted with ECDH-ES, which is ECC. (Like TLS, encrypted JWT uses a hybrid  crypto system, where it uses asymmetric keys (in this case, elliptic curve keys) to establish a shared secret, to apply AES (symmetric) encryption).  The client side would need to produce an encrypted JWT, using the public key provided by the Apigee endpoint.  There are lots of libraries out there that clients could use. Web clients can use the subtle crypto library that is built-in to web browsers.

• Option2: build it yourself. I don't advise this. But you could design some sort of framework for producing your own crypto approach using ECC. The app client would have to have the encrypt implementation, and you would need to build a decrypt custom policy for use in Apigee. You would use Java for this. JavaScript would be inappropriate.

  The reason i do not advise this is, it's hard to get cryptography right. This is captured in the well-trod aphorism: don't roll your own crypto.  You might think the statement "don't roll your own crypto" implies "don't try to invent an encryption algorithm."  But it's much more expansive than that.  Even if you select a known-secure algorithm, and if you use strong keys, if you don't manage keys correctly, or if you don't use the right padding, or the right nonce, or, or, or,... any of a large number of things can lead to a security hole in a system that is intended to provide secrecy.  Something like JWT has been vetted and reviewed and is a known good approach or "framework" for applying ECC. If you make up your own, you may not get it right.

I'd advise using encrypted JWT. It's much easier and the eJWT standard is already vetted.

I believe the support for Encrypted JWT is included in Edge, despite the lack of documentation for this. 

Also, you should upgrade to Apigee X.