Which statement accurately describes implementing OAuth 2.0 in MuleSoft?

OAuth 2.0 in MuleSoft relies on an external authorization server to issue access tokens, and those tokens are then enforced at the API gateway using a validation policy. MuleSoft itself doesn’t generate tokens; you integrate with an OAuth 2.0 provider or Identity Server to issue them, and the gateway, via an OAuth 2.0 policy, validates the tokens on incoming requests. Depending on the token format, validation can be done by decoding JWTs with the provider’s public keys or by consulting the provider’s introspection endpoint for opaque tokens. This setup is supported and commonly used with API Manager. The idea that MuleSoft generates tokens internally, or that OAuth 2.0 is limited to a single grant type, or that API Manager isn’t compatible with OAuth 2.0, doesn’t align with how the framework is designed to enforce access control.