in which scenarios is the CA Auth toolkit required?
It must/can be bought separately?
Does the CA Mobile API gateway include it?
OAuth Toolkit is not licensed seperately. Mobile API Gateway includes it. Use cases of OAuth toolkit varies but as examples, it is a token provider so you can use it as a OAuth token provider. Another example MAG uses our OTK to make Mobile SSO possible. So If you can give detail about your problem/use case, we can give further information
The OAuth Toolkit (OTK) is required whenever the CA API Gateway or CA Mobile API Gateway (gateway) is used to provide an API that should be protected by OAuth. A typical scenario would be this:
The gateway would use the OTK to handle all oauth related tasks.
If you want oAuth2 (or oAuth1) authentication for your APIs.
Supports the full oAuth2 stack: Resource Owner Flow, Client Credential, 3-Legged etc
You will need to create a separate "Consent Page" - the one built in is not suitable for anything but test.
Also you will need to integrate into your existing processes how to create Clients and Key:Secrets.
Retrieving data ...