[codegladiator]

A central server which maintain all authorization information. The client can request token to access a particular service. The service verifies the token by calling the central server and gets in response the permissions available for that token. Also, a TTLed cache on the servers.

[hkarthik]

I assume the "central server" is actually an HA cluster of servers with consistency checking of the token data. Otherwise it sounds like a pretty bad SPOF. Any lessons you learned along the way with setting this up?

[codegladiator]

You are correct, single would be disaster. One of the lesson learnt, every network call is going add at least 10ms.