Hi @jose.cedeno

You could probably use Custom attributes that are available for Dev apps and products. As a service provider, if you want to control the ttl, then it would be better to set the ttl as a custom attribute in the Product configurations. So in your use case, you will have two categories of products - public and protected. You can configure the ttl accordingly and the dev apps that uses these products will use these attributes at runtime.

For example, in the screenshot below, I have a Product defined with a custom attribute (see bottom of the screenshot)

You need to include your Oauth proxy to this product as well. Once that is done, when you have a valid client_id (from the dev app that uses this product) and after running the VerifyApiKey on your Oauth token flow, you should be able to get the custom attributes as flow variables.

In this case., the above custom attribute will be verifyapikey.{policy_name}.apiproduct.tokenTtl. With this flow variable, you can set that in the Oauth policy that creates the token with the ExpiresIn attribute.

<OAuthV2 name="GenerateAccessToken">
  <!-- This policy generates an OAuth 2.0 access token using the client_credentials grant type -->
  <Operation>GenerateAccessToken</Operation>
  <!-- This is in millseconds, so expire in an hour -->
  <ExpiresIn ref="verifyapikey.Verify-API-Key.apiproduct.tokenTtl">3600000</ExpiresIn><!--default value in milliseconds if flow variable is null-->
  <SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <GrantType>request.queryparam.grant_type</GrantType>
  <GenerateResponse/>
</OAuthV2>

By doing this, you have complete control of changing them which is real time as well. More info here on policy docs and more posts here on Custom attributes

Custom attributes is the answer for your questions you asked at the very end as well.

Hope this was useful. Please reach out if you still have questions. Happy to help