Yes, I know that OAuth specification requires HTTPS -- I'm asking if the Apigee Policy implementation of OAuth (specifically in this case the Verify API Key policy, but generally all of the OAuth policies) requires it, or if there's a way to neuter that check.

I'm trying to implement OAuth2.0 using the standard OAuth policy tools, but I keep getting the `oauth.v2.InvalidApiKey` when trying to access the login-app from the webserver-app.

After scratching my head a bit, and verifying the credentials 3-4 times, I decided to trace. I found that in the trace, there is the following information

This seems to indicate that there's no failure in verifying the api key itself. But I did notice the expression `virtualhost.ssl.enabled equals true`, which is not the case here (POC environment uses HTTP, not HTTPS)

So friends, the question is twofold:

1. Does Edge require HTTPS for OAuth2?
2. If so, is there a way for the purposes of demonstration to kill that check?