# MYTO Limited — IAM Knowledge Base > Field-tested OAuth 2.0 and IAM patterns from production deployments on PingAM (formerly ForgeRock AM), PingDS, PingIDM, and PingGateway. Organized by deployment scenario, not by spec. Each entry covers: scenario, actors and trust boundaries, flow, common production pitfalls, PingAM implementation notes, and when NOT to use the pattern. MYTO Limited is an independent IAM consultancy specializing in ForgeRock/Ping Identity platforms and Kubernetes-based deployments. Engaged where complexity is not optional. ## OAuth 2.0 by Scenario - [OAuth 2.0 Use Cases — index](https://myto-limited.com/wiki/oauth2/): Catalog of deployment scenarios and the OAuth2 patterns that fit each. ### Planned scenario entries - OAuth2 for Banking APIs — FAPI 2.0, PAR/JAR, consent management for open banking - OAuth2 for Mobile Banking — PKCE, app attestation, sender-constrained tokens on public clients - OAuth2 for Legacy Applications — gateway-mediated tokens for apps that cannot speak OAuth2 - OAuth2 between Microservices — user context propagation, delegation, the act claim - OAuth2 with API Gateway — the phantom token pattern, opaque outside / JWT inside - OAuth2 for Service Mesh — where mTLS/SPIFFE ends and OAuth2 begins - OAuth2 in Hybrid Cloud — cross-domain token exchange, federated authorization servers - OAuth2 for Machine Identities — workload credential lifecycle, rotation, secretless auth - OAuth2 for Kubernetes Workloads — workload identity federation, projected service account tokens - OAuth2 for Batch Processing — long-running jobs with no user present, token lifetime strategy - OAuth2 with PingAM (formerly ForgeRock AM) — platform pillar: how every pattern maps to PingAM ## Patterns & Building Blocks - [Token Exchange for Delegation (RFC 8693)](https://myto-limited.com/wiki/oauth2/token-exchange-delegation): Delegation across microservice boundaries without token replay — act claim, may_act policies, downscoping, and PingAM configuration. ### Planned pattern entries - Client Credentials for machine-to-machine (RFC 6749 §4.4) - Authorization Code + PKCE (RFC 7636) - Refresh token rotation and reuse detection - mTLS-bound access tokens (RFC 8705) - Token introspection vs. stateless JWT validation (RFC 7662) ## Company - [MYTO Limited](https://myto-limited.com): Independent IAM architecture and engineering — PingAM, PingDS, PingIDM, PingGateway, Kubernetes.