diff --git a/model/jwt/src/main/java/org/eclipse/ditto/model/jwt/Audience.java b/model/jwt/src/main/java/org/eclipse/ditto/model/jwt/Audience.java
index 4f111e7ef1..0961c9b3ea 100644
--- a/model/jwt/src/main/java/org/eclipse/ditto/model/jwt/Audience.java
+++ b/model/jwt/src/main/java/org/eclipse/ditto/model/jwt/Audience.java
@@ -69,7 +69,7 @@ static Audience fromJson(final JsonValue audValue) {
      *
      * @return the empty audience.
      */
-    static Audience empty() {
+    public static Audience empty() {
         return new Audience(Collections.emptyList());
     }
 
diff --git a/model/placeholders/src/main/java/org/eclipse/ditto/model/placeholders/ExpressionResolver.java b/model/placeholders/src/main/java/org/eclipse/ditto/model/placeholders/ExpressionResolver.java
index 34e4f23b8c..9acf9eb8bc 100644
--- a/model/placeholders/src/main/java/org/eclipse/ditto/model/placeholders/ExpressionResolver.java
+++ b/model/placeholders/src/main/java/org/eclipse/ditto/model/placeholders/ExpressionResolver.java
@@ -70,7 +70,7 @@ default PipelineElement resolve(final String expressionTemplate) {
      * @throws PlaceholderFunctionTooComplexException thrown if the {@code expressionTemplate} contains a placeholder
      * function chain which is too complex (e.g. too much chained function calls)
      */
-    default PipelineElement resolvePartially(final String expressionTemplate) {
+    default String resolvePartially(final String expressionTemplate) {
         return ExpressionResolver.substitute(expressionTemplate, expression -> {
             try {
                 return resolveAsPipelineElement(expression).onUnresolved(() -> PipelineElement.resolved(expression));
@@ -78,7 +78,7 @@ default PipelineElement resolvePartially(final String expressionTemplate) {
                 // placeholder is not supported; return the expression without resolution.
                 return PipelineElement.resolved("{{" + expression + "}}");
             }
-        });
+        }).toOptional().orElseThrow(() -> new IllegalStateException("Impossible"));
     }
 
     /**
diff --git a/model/placeholders/src/test/java/org/eclipse/ditto/model/placeholders/ExpressionResolverTest.java b/model/placeholders/src/test/java/org/eclipse/ditto/model/placeholders/ExpressionResolverTest.java
index 02dc9aba8a..85a28d2313 100644
--- a/model/placeholders/src/test/java/org/eclipse/ditto/model/placeholders/ExpressionResolverTest.java
+++ b/model/placeholders/src/test/java/org/eclipse/ditto/model/placeholders/ExpressionResolverTest.java
@@ -125,7 +125,7 @@ public void testDeleteIfUnresolved() {
     @Test
     public void testPartialResolution() {
         assertThat(expressionResolver.resolvePartially("{{header:header-name}}-{{unknown:placeholder|fn:unknown}}"))
-                .containsExactly("header-val-{{unknown:placeholder|fn:unknown}}");
+                .isEqualTo("header-val-{{unknown:placeholder|fn:unknown}}");
     }
 
 }
diff --git a/model/policies/src/main/java/org/eclipse/ditto/model/policies/PolicyActionFailedException.java b/model/policies/src/main/java/org/eclipse/ditto/model/policies/PolicyActionFailedException.java
index 21c2611d35..2f68d336a3 100755
--- a/model/policies/src/main/java/org/eclipse/ditto/model/policies/PolicyActionFailedException.java
+++ b/model/policies/src/main/java/org/eclipse/ditto/model/policies/PolicyActionFailedException.java
@@ -39,11 +39,17 @@ public final class PolicyActionFailedException extends DittoRuntimeException imp
      */
     public static final String ERROR_CODE = ERROR_CODE_PREFIX + "action.failed";
 
-    private static final HttpStatusCode DEFAULT_STATUS = HttpStatusCode.INTERNAL_SERVER_ERROR;
+    /**
+     * The action {@code activateTokenIntegration}.
+     */
+    public static final String ACTIVATE_TOKEN_INTEGRATION = "activateTokenIntegration";
 
-    private static final String ACTIVATE_TOKEN_INTEGRATION = "activateTokenIntegration";
+    /**
+     * The action {@code deactivateTokenIntegration}.
+     */
+    public static final String DEACTIVATE_TOKEN_INTEGRATION = "deactivateTokenIntegration";
 
-    private static final String DEACTIVATE_TOKEN_INTEGRATION = "deactivateTokenIntegration";
+    private static final HttpStatusCode DEFAULT_STATUS = HttpStatusCode.INTERNAL_SERVER_ERROR;
 
     private static final String MESSAGE_TEMPLATE = "Failed to execute action ''{0}''.";
 
@@ -76,6 +82,19 @@ public static DittoRuntimeExceptionBuilder<PolicyActionFailedException> newBuild
         return new Builder().action(DEACTIVATE_TOKEN_INTEGRATION);
     }
 
+    /**
+     * A mutable builder for a {@code PolicyActionFailedException} due to inappropriate authentication method.
+     *
+     * @param action the failed action.
+     * @return the exception builder.
+     */
+    public static DittoRuntimeExceptionBuilder<PolicyActionFailedException>
+    newBuilderForInappropriateAuthenticationMethod(final String action) {
+        return new Builder().action(action)
+                .status(HttpStatusCode.BAD_REQUEST)
+                .description("Policy action is only possible with JWT authentication.");
+    }
+
     /**
      * A mutable builder for when a deactivation failed due to matching permanent subjects.
      *
diff --git a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/directives/auth/GatewayAuthenticationDirective.java b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/directives/auth/GatewayAuthenticationDirective.java
index ee4e1a282c..ee4e4ae631 100755
--- a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/directives/auth/GatewayAuthenticationDirective.java
+++ b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/directives/auth/GatewayAuthenticationDirective.java
@@ -74,10 +74,10 @@ public GatewayAuthenticationDirective(final AuthenticationChain authenticationCh
      * Depending on the request headers, one of the supported authentication mechanisms is applied.
      *
      * @param dittoHeaders the DittoHeaders containing already gathered context information.
-     * @param inner the inner route which will be wrapped with the {@link DittoHeaders}.
+     * @param inner the inner route which will be wrapped with the {@link org.eclipse.ditto.model.base.headers.DittoHeaders}.
      * @return the inner route.
      */
-    public Route authenticate(final DittoHeaders dittoHeaders, final Function<DittoHeadersBuilder<?, ?>, Route> inner) {
+    public Route authenticate(final DittoHeaders dittoHeaders, final Function<AuthenticationResult, Route> inner) {
         return extractRequestContext(requestContext -> {
             final Uri requestUri = requestContext.getRequest().getUri();
 
@@ -95,12 +95,12 @@ public Route authenticate(final DittoHeaders dittoHeaders, final Function<DittoH
     private Route handleAuthenticationTry(final Try<AuthenticationResult> authenticationResultTry,
             final Uri requestUri,
             final DittoHeaders dittoHeaders,
-            final Function<DittoHeadersBuilder<?, ?>, Route> inner) {
+            final Function<AuthenticationResult, Route> inner) {
 
         if (authenticationResultTry.isSuccess()) {
             final AuthenticationResult authenticationResult = authenticationResultTry.get();
             if (authenticationResult.isSuccess()) {
-                return inner.apply(authenticationResult.getDittoHeaders().toBuilder());
+                return inner.apply(authenticationResult);
             }
             return handleFailedAuthentication(authenticationResult.getReasonOfFailure(), requestUri, dittoHeaders);
         }
diff --git a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRoute.java b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRoute.java
index 39c188c9f2..662592d2df 100755
--- a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRoute.java
+++ b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRoute.java
@@ -27,7 +27,6 @@
 
 import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
 import org.eclipse.ditto.model.base.headers.DittoHeaders;
-import org.eclipse.ditto.model.base.headers.DittoHeadersBuilder;
 import org.eclipse.ditto.model.base.headers.DittoHeadersSizeChecker;
 import org.eclipse.ditto.model.base.json.JsonSchemaVersion;
 import org.eclipse.ditto.protocoladapter.HeaderTranslator;
@@ -50,6 +49,7 @@
 import org.eclipse.ditto.services.gateway.endpoints.routes.websocket.WebSocketRouteBuilder;
 import org.eclipse.ditto.services.gateway.endpoints.routes.whoami.WhoamiRoute;
 import org.eclipse.ditto.services.gateway.endpoints.utils.DittoRejectionHandlerFactory;
+import org.eclipse.ditto.services.gateway.security.authentication.AuthenticationResult;
 import org.eclipse.ditto.services.gateway.util.config.endpoints.HttpConfig;
 import org.eclipse.ditto.services.utils.health.routes.StatusRoute;
 import org.eclipse.ditto.services.utils.protocol.ProtocolAdapterProvider;
@@ -219,16 +219,17 @@ private Route api(final RequestContext ctx, final CharSequence correlationId,
         return rawPathPrefix(PathMatchers.slash().concat(HTTP_PATH_API_PREFIX), () -> // /api
                 ensureSchemaVersion(apiVersion -> // /api/<apiVersion>
                         customApiRoutesProvider.unauthorized(apiVersion, correlationId).orElse(
-                                apiAuthentication(apiVersion, correlationId, initialHeadersBuilder -> {
+                                apiAuthentication(apiVersion, correlationId, auth -> {
                                             final CompletionStage<DittoHeaders> dittoHeadersPromise =
                                                     rootRouteHeadersStepBuilder
-                                                            .withInitialDittoHeadersBuilder(initialHeadersBuilder)
+                                                            .withInitialDittoHeadersBuilder(
+                                                                    auth.getDittoHeaders().toBuilder())
                                                             .withRequestContext(ctx)
                                                             .withQueryParameters(queryParameters)
                                                             .build(CustomHeadersHandler.RequestType.API);
 
                                             return withDittoHeaders(dittoHeadersPromise,
-                                                    dittoHeaders -> buildApiSubRoutes(ctx, dittoHeaders));
+                                                    dittoHeaders -> buildApiSubRoutes(ctx, dittoHeaders, auth));
                                         }
                                 )
                         )
@@ -255,7 +256,7 @@ private Route ensureSchemaVersion(final Function<JsonSchemaVersion, Route> inner
     }
 
     private Route apiAuthentication(final JsonSchemaVersion schemaVersion, final CharSequence correlationId,
-            final Function<DittoHeadersBuilder<?, ?>, Route> inner) {
+            final Function<AuthenticationResult, Route> inner) {
 
         final DittoHeaders dittoHeaders = DittoHeaders.newBuilder()
                 .schemaVersion(schemaVersion)
@@ -264,13 +265,14 @@ private Route apiAuthentication(final JsonSchemaVersion schemaVersion, final Cha
         return apiAuthenticationDirective.authenticate(dittoHeaders, inner);
     }
 
-    private Route buildApiSubRoutes(final RequestContext ctx, final DittoHeaders dittoHeaders) {
+    private Route buildApiSubRoutes(final RequestContext ctx, final DittoHeaders dittoHeaders,
+            final AuthenticationResult authenticationResult) {
 
         final Route customApiSubRoutes = customApiRoutesProvider.authorized(dittoHeaders);
 
         return concat(
                 // /api/{apiVersion}/policies
-                policiesRoute.buildPoliciesRoute(ctx, dittoHeaders),
+                policiesRoute.buildPoliciesRoute(ctx, dittoHeaders, authenticationResult),
                 // /api/{apiVersion}/things SSE support
                 buildSseThingsRoute(ctx, dittoHeaders),
                 // /api/{apiVersion}/things
@@ -309,10 +311,10 @@ private Route ws(final RequestContext ctx, final CharSequence correlationId,
             final Map<String, String> queryParameters) {
         return rawPathPrefix(PathMatchers.slash().concat(WS_PATH_PREFIX), () -> // /ws
                 ensureSchemaVersion(wsVersion -> // /ws/<wsVersion>
-                        wsAuthentication(wsVersion, correlationId, initialHeadersBuilder -> {
+                        wsAuthentication(wsVersion, correlationId, auth -> {
                                     final CompletionStage<DittoHeaders> dittoHeadersPromise =
                                             rootRouteHeadersStepBuilder
-                                                    .withInitialDittoHeadersBuilder(initialHeadersBuilder)
+                                                    .withInitialDittoHeadersBuilder(auth.getDittoHeaders().toBuilder())
                                                     .withRequestContext(ctx)
                                                     .withQueryParameters(queryParameters)
                                                     .build(CustomHeadersHandler.RequestType.WS);
@@ -331,7 +333,7 @@ private Route ws(final RequestContext ctx, final CharSequence correlationId,
     }
 
     private Route wsAuthentication(final JsonSchemaVersion schemaVersion, final CharSequence correlationId,
-            final Function<DittoHeadersBuilder<?, ?>, Route> inner) {
+            final Function<AuthenticationResult, Route> inner) {
 
         final DittoHeaders dittoHeaders = DittoHeaders.newBuilder()
                 .schemaVersion(schemaVersion)
diff --git a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRouteExceptionHandler.java b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRouteExceptionHandler.java
index e8eb21dd41..f57d5796ab 100644
--- a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRouteExceptionHandler.java
+++ b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRouteExceptionHandler.java
@@ -40,7 +40,7 @@
  * This class provides an {@link ExceptionHandler} for the root route.
  */
 @Immutable
-final class RootRouteExceptionHandler {
+public final class RootRouteExceptionHandler {
 
     private static final ThreadSafeDittoLogger LOGGER = DittoLoggerFactory
             .getThreadSafeLogger(RootRouteExceptionHandler.class);
diff --git a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/OAuthTokenIntegrationSubjectIdFactory.java b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/OAuthTokenIntegrationSubjectIdFactory.java
new file mode 100755
index 0000000000..bcdd025176
--- /dev/null
+++ b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/OAuthTokenIntegrationSubjectIdFactory.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2020 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.ditto.services.gateway.endpoints.routes.policies;
+
+import org.eclipse.ditto.model.base.headers.DittoHeaders;
+import org.eclipse.ditto.model.jwt.JsonWebToken;
+import org.eclipse.ditto.model.placeholders.ExpressionResolver;
+import org.eclipse.ditto.model.placeholders.PlaceholderFactory;
+import org.eclipse.ditto.model.policies.SubjectId;
+import org.eclipse.ditto.services.gateway.security.authentication.jwt.JwtPlaceholder;
+import org.eclipse.ditto.services.gateway.util.config.security.OAuthConfig;
+
+/**
+ * Creator of token integration subjects for the configured OAuth subject pattern.
+ */
+public final class OAuthTokenIntegrationSubjectIdFactory implements TokenIntegrationSubjectIdFactory {
+
+    private final String subjectTemplate;
+
+    private OAuthTokenIntegrationSubjectIdFactory(final String subjectTemplate) {
+        this.subjectTemplate = subjectTemplate;
+    }
+
+    /**
+     * Create an OAuth token integration subject ID factory from OAuth config.
+     *
+     * @param oAuthConfig the config.
+     * @return the factory.
+     */
+    public static OAuthTokenIntegrationSubjectIdFactory of(final OAuthConfig oAuthConfig) {
+        return new OAuthTokenIntegrationSubjectIdFactory(oAuthConfig.getTokenIntegrationSubject());
+    }
+
+    @Override
+    public SubjectId getSubjectId(final DittoHeaders dittoHeaders, final JsonWebToken jwt) {
+        final ExpressionResolver expressionResolver = PlaceholderFactory.newExpressionResolver(
+                PlaceholderFactory.newPlaceholderResolver(PlaceholderFactory.newHeadersPlaceholder(), dittoHeaders),
+                PlaceholderFactory.newPlaceholderResolver(JwtPlaceholder.getInstance(), jwt)
+        );
+        return SubjectId.newInstance(expressionResolver.resolvePartially(subjectTemplate));
+    }
+}
diff --git a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PoliciesRoute.java b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PoliciesRoute.java
index cf6e4c5972..21dc54fa3f 100755
--- a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PoliciesRoute.java
+++ b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PoliciesRoute.java
@@ -14,18 +14,30 @@
 
 import static org.eclipse.ditto.model.base.exceptions.DittoJsonException.wrapJsonRuntimeException;
 
+import java.time.Instant;
+import java.util.List;
+import java.util.Optional;
+import java.util.function.Function;
+
 import org.eclipse.ditto.json.JsonFactory;
 import org.eclipse.ditto.json.JsonObject;
 import org.eclipse.ditto.json.JsonValue;
 import org.eclipse.ditto.model.base.headers.DittoHeaders;
+import org.eclipse.ditto.model.jwt.JsonWebToken;
 import org.eclipse.ditto.model.policies.PoliciesModelFactory;
 import org.eclipse.ditto.model.policies.Policy;
+import org.eclipse.ditto.model.policies.PolicyActionFailedException;
 import org.eclipse.ditto.model.policies.PolicyId;
+import org.eclipse.ditto.model.policies.SubjectId;
 import org.eclipse.ditto.protocoladapter.HeaderTranslator;
 import org.eclipse.ditto.services.gateway.endpoints.routes.AbstractRoute;
+import org.eclipse.ditto.services.gateway.security.authentication.AuthenticationResult;
+import org.eclipse.ditto.services.gateway.security.authentication.jwt.JwtAuthenticationResult;
 import org.eclipse.ditto.services.gateway.util.config.endpoints.CommandConfig;
 import org.eclipse.ditto.services.gateway.util.config.endpoints.HttpConfig;
 import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyIdNotExplicitlySettableException;
+import org.eclipse.ditto.signals.commands.policies.modify.ActivateSubjects;
+import org.eclipse.ditto.signals.commands.policies.modify.DeactivateSubjects;
 import org.eclipse.ditto.signals.commands.policies.modify.DeletePolicy;
 import org.eclipse.ditto.signals.commands.policies.modify.ModifyPolicy;
 import org.eclipse.ditto.signals.commands.policies.query.RetrievePolicy;
@@ -41,10 +53,15 @@
  */
 public final class PoliciesRoute extends AbstractRoute {
 
+    static final String PATH_ACTIONS = "actions";
+    static final String ACTIVATE_TOKEN_INTEGRATION = PolicyActionFailedException.ACTIVATE_TOKEN_INTEGRATION;
+    static final String DEACTIVATE_TOKEN_INTEGRATION = PolicyActionFailedException.DEACTIVATE_TOKEN_INTEGRATION;
+
     private static final String PATH_POLICIES = "policies";
     private static final String PATH_ENTRIES = "entries";
 
     private final PolicyEntriesRoute policyEntriesRoute;
+    private final TokenIntegrationSubjectIdFactory tokenIntegrationSubjectIdFactory;
 
     /**
      * Constructs the {@code /policies} route builder.
@@ -54,18 +71,22 @@ public final class PoliciesRoute extends AbstractRoute {
      * @param httpConfig the configuration settings of the Gateway service's HTTP endpoint.
      * @param commandConfig the configuration settings of the Gateway service's incoming command processing.
      * @param headerTranslator translates headers from external sources or to external sources.
+     * @param tokenIntegrationSubjectIdFactory factory of resolvers for placeholders.
      * @throws NullPointerException if any argument is {@code null}.
      */
     public PoliciesRoute(final ActorRef proxyActor,
             final ActorSystem actorSystem,
             final HttpConfig httpConfig,
             final CommandConfig commandConfig,
-            final HeaderTranslator headerTranslator) {
+            final HeaderTranslator headerTranslator,
+            final TokenIntegrationSubjectIdFactory tokenIntegrationSubjectIdFactory) {
 
         super(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator);
+        this.tokenIntegrationSubjectIdFactory = tokenIntegrationSubjectIdFactory;
 
         policyEntriesRoute =
-                new PolicyEntriesRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator);
+                new PolicyEntriesRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator,
+                        tokenIntegrationSubjectIdFactory);
     }
 
     /**
@@ -73,19 +94,22 @@ public PoliciesRoute(final ActorRef proxyActor,
      *
      * @return the {@code /policies} route.
      */
-    public Route buildPoliciesRoute(final RequestContext ctx, final DittoHeaders dittoHeaders) {
+    public Route buildPoliciesRoute(final RequestContext ctx, final DittoHeaders dittoHeaders,
+            final AuthenticationResult authenticationResult) {
         return rawPathPrefix(PathMatchers.slash().concat(PATH_POLICIES), () ->
                 rawPathPrefix(PathMatchers.slash().concat(PathMatchers.segment()), policyId ->
                         // /policies/<policyId>
-                        policyRoute(ctx, dittoHeaders, PolicyId.of(policyId))
+                        policyRoute(ctx, dittoHeaders, PolicyId.of(policyId), authenticationResult)
                 )
         );
     }
 
-    private Route policyRoute(final RequestContext ctx, final DittoHeaders dittoHeaders, final PolicyId policyId) {
+    private Route policyRoute(final RequestContext ctx, final DittoHeaders dittoHeaders, final PolicyId policyId,
+            final AuthenticationResult authenticationResult) {
         return concat(
                 policyEntry(ctx, dittoHeaders, policyId),
-                policyEntryEntries(ctx, dittoHeaders, policyId)
+                policyEntryEntries(ctx, dittoHeaders, policyId, authenticationResult),
+                policyActions(ctx, dittoHeaders, policyId, authenticationResult)
         );
     }
 
@@ -134,11 +158,62 @@ private static JsonObject createPolicyJsonObjectForPut(final String jsonString,
      *
      * @return {@code /policies/<policyId>/entries} route.
      */
-    private Route policyEntryEntries(final RequestContext ctx, final DittoHeaders dittoHeaders,
-            final PolicyId policyId) {
+    private Route policyEntryEntries(final RequestContext ctx, final DittoHeaders dittoHeaders, final PolicyId policyId,
+            final AuthenticationResult authResult) {
         return rawPathPrefix(PathMatchers.slash().concat(PATH_ENTRIES), () -> // /policies/<policyId>/entries
-                policyEntriesRoute.buildPolicyEntriesRoute(ctx, dittoHeaders, policyId)
+                policyEntriesRoute.buildPolicyEntriesRoute(ctx, dittoHeaders, policyId, authResult)
         );
     }
 
+    /*
+     * Describes{@code /policies/<policyId>/actions} route.
+     */
+    private Route policyActions(final RequestContext ctx, final DittoHeaders dittoHeaders, final PolicyId policyId,
+            final AuthenticationResult authenticationResult) {
+
+        return rawPathPrefix(PathMatchers.slash().concat(PATH_ACTIONS), () -> concat(// /policies/<policyId>/actions
+                rawPathPrefix(PathMatchers.slash().concat(ACTIVATE_TOKEN_INTEGRATION), () ->
+                        pathEndOrSingleSlash(() ->
+                                extractJwt(dittoHeaders, authenticationResult, ACTIVATE_TOKEN_INTEGRATION, jwt ->
+                                        post(() -> handlePerRequest(ctx,
+                                                activateSubjects(dittoHeaders, policyId, jwt)))))),
+                rawPathPrefix(PathMatchers.slash().concat(DEACTIVATE_TOKEN_INTEGRATION), () ->
+                        pathEndOrSingleSlash(() ->
+                                extractJwt(dittoHeaders, authenticationResult, DEACTIVATE_TOKEN_INTEGRATION, jwt ->
+                                        post(() -> handlePerRequest(ctx,
+                                                deactivateSubjects(dittoHeaders, policyId, jwt))))))
+        ));
+    }
+
+    private ActivateSubjects activateSubjects(final DittoHeaders dittoHeaders, final PolicyId policyId,
+            final JsonWebToken jwt) {
+
+        final SubjectId subjectId = tokenIntegrationSubjectIdFactory.getSubjectId(dittoHeaders, jwt);
+        final Instant expiry = jwt.getExpirationTime();
+        return ActivateSubjects.of(policyId, subjectId, expiry, List.of(), dittoHeaders);
+    }
+
+    private DeactivateSubjects deactivateSubjects(final DittoHeaders dittoHeaders, final PolicyId policyId,
+            final JsonWebToken jwt) {
+
+        final SubjectId subjectId = tokenIntegrationSubjectIdFactory.getSubjectId(dittoHeaders, jwt);
+        return DeactivateSubjects.of(policyId, subjectId, List.of(), dittoHeaders);
+    }
+
+    static Route extractJwt(final DittoHeaders dittoHeaders,
+            final AuthenticationResult authResult,
+            final String action,
+            final Function<JsonWebToken, Route> inner) {
+
+        if (authResult instanceof JwtAuthenticationResult) {
+            final Optional<JsonWebToken> jwtOptional = ((JwtAuthenticationResult) authResult).getJwt();
+            if (jwtOptional.isPresent()) {
+                return inner.apply(jwtOptional.get());
+            }
+        }
+        throw PolicyActionFailedException.newBuilderForInappropriateAuthenticationMethod(action)
+                .dittoHeaders(dittoHeaders)
+                .build();
+    }
+
 }
diff --git a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PolicyEntriesRoute.java b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PolicyEntriesRoute.java
index fe4860276c..87214b74ec 100755
--- a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PolicyEntriesRoute.java
+++ b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PolicyEntriesRoute.java
@@ -13,10 +13,14 @@
 package org.eclipse.ditto.services.gateway.endpoints.routes.policies;
 
 import static org.eclipse.ditto.model.base.exceptions.DittoJsonException.wrapJsonRuntimeException;
+import static org.eclipse.ditto.services.gateway.endpoints.routes.policies.PoliciesRoute.ACTIVATE_TOKEN_INTEGRATION;
+import static org.eclipse.ditto.services.gateway.endpoints.routes.policies.PoliciesRoute.DEACTIVATE_TOKEN_INTEGRATION;
+import static org.eclipse.ditto.services.gateway.endpoints.routes.policies.PoliciesRoute.PATH_ACTIONS;
 
 import org.eclipse.ditto.json.JsonFactory;
 import org.eclipse.ditto.json.JsonObject;
 import org.eclipse.ditto.model.base.headers.DittoHeaders;
+import org.eclipse.ditto.model.jwt.JsonWebToken;
 import org.eclipse.ditto.model.policies.Label;
 import org.eclipse.ditto.model.policies.PoliciesModelFactory;
 import org.eclipse.ditto.model.policies.PolicyEntry;
@@ -29,8 +33,11 @@
 import org.eclipse.ditto.model.policies.Subjects;
 import org.eclipse.ditto.protocoladapter.HeaderTranslator;
 import org.eclipse.ditto.services.gateway.endpoints.routes.AbstractRoute;
+import org.eclipse.ditto.services.gateway.security.authentication.AuthenticationResult;
 import org.eclipse.ditto.services.gateway.util.config.endpoints.CommandConfig;
 import org.eclipse.ditto.services.gateway.util.config.endpoints.HttpConfig;
+import org.eclipse.ditto.signals.commands.policies.modify.ActivateSubject;
+import org.eclipse.ditto.signals.commands.policies.modify.DeactivateSubject;
 import org.eclipse.ditto.signals.commands.policies.modify.DeletePolicyEntry;
 import org.eclipse.ditto.signals.commands.policies.modify.DeleteResource;
 import org.eclipse.ditto.signals.commands.policies.modify.DeleteSubject;
@@ -61,6 +68,8 @@ final class PolicyEntriesRoute extends AbstractRoute {
     private static final String PATH_SUFFIX_SUBJECTS = "subjects";
     private static final String PATH_SUFFIX_RESOURCES = "resources";
 
+    private final TokenIntegrationSubjectIdFactory tokenIntegrationSubjectIdFactory;
+
     /**
      * Constructs the {@code /entries} route builder.
      *
@@ -69,15 +78,18 @@ final class PolicyEntriesRoute extends AbstractRoute {
      * @param httpConfig the configuration settings of the Gateway service's HTTP endpoint.
      * @param commandConfig the configuration settings of the Gateway service's incoming command processing.
      * @param headerTranslator translates headers from external sources or to external sources.
+     * @param tokenIntegrationSubjectIdFactory factory of token integration subject IDs.
      * @throws NullPointerException if any argument is {@code null}.
      */
     PolicyEntriesRoute(final ActorRef proxyActor,
             final ActorSystem actorSystem,
             final HttpConfig httpConfig,
             final CommandConfig commandConfig,
-            final HeaderTranslator headerTranslator) {
+            final HeaderTranslator headerTranslator,
+            final TokenIntegrationSubjectIdFactory tokenIntegrationSubjectIdFactory) {
 
         super(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator);
+        this.tokenIntegrationSubjectIdFactory = tokenIntegrationSubjectIdFactory;
     }
 
     /**
@@ -85,14 +97,16 @@ final class PolicyEntriesRoute extends AbstractRoute {
      *
      * @return the {@code /entries} route.
      */
-    Route buildPolicyEntriesRoute(final RequestContext ctx, final DittoHeaders dittoHeaders, final PolicyId policyId) {
+    Route buildPolicyEntriesRoute(final RequestContext ctx, final DittoHeaders dittoHeaders, final PolicyId policyId,
+            final AuthenticationResult authResult) {
         return concat(
                 thingsEntryPolicyEntries(ctx, dittoHeaders, policyId),
                 thingsEntryPolicyEntry(ctx, dittoHeaders, policyId),
                 thingsEntryPolicyEntrySubjects(ctx, dittoHeaders, policyId),
                 thingsEntryPolicyEntrySubjectsEntry(ctx, dittoHeaders, policyId),
                 thingsEntryPolicyEntryResources(ctx, dittoHeaders, policyId),
-                thingsEntryPolicyEntryResourcesEntry(ctx, dittoHeaders, policyId)
+                thingsEntryPolicyEntryResourcesEntry(ctx, dittoHeaders, policyId),
+                policyEntryActions(ctx, dittoHeaders, policyId, authResult)
         );
     }
 
@@ -338,6 +352,40 @@ private Route thingsEntryPolicyEntryResourcesEntry(final RequestContext ctx, fin
         );
     }
 
+    /*
+     * Describes {@code /entries/<label>/actions} route.
+     */
+    private Route policyEntryActions(final RequestContext ctx, final DittoHeaders dittoHeaders,
+            final PolicyId policyId, final AuthenticationResult authResult) {
+
+        return rawPathPrefix(PathMatchers.slash().concat(PathMatchers.segment()), label ->
+                rawPathPrefix(PathMatchers.slash().concat(PATH_ACTIONS), () -> concat(
+                        rawPathPrefix(PathMatchers.slash().concat(ACTIVATE_TOKEN_INTEGRATION), () ->
+                                pathEndOrSingleSlash(() -> PoliciesRoute.extractJwt(
+                                        dittoHeaders, authResult, ACTIVATE_TOKEN_INTEGRATION,
+                                        jwt -> post(() -> handlePerRequest(ctx,
+                                                activateSubject(dittoHeaders, policyId, label, jwt)))))),
+                        rawPathPrefix(PathMatchers.slash().concat(DEACTIVATE_TOKEN_INTEGRATION), () ->
+                                pathEndOrSingleSlash(() -> PoliciesRoute.extractJwt(
+                                        dittoHeaders, authResult, DEACTIVATE_TOKEN_INTEGRATION,
+                                        jwt -> post(() -> handlePerRequest(ctx,
+                                                deactivateSubject(dittoHeaders, policyId, label, jwt))))))
+                ))
+        );
+    }
+
+    private ActivateSubject activateSubject(DittoHeaders dittoHeaders, final PolicyId policyId, final String label,
+            final JsonWebToken jwt) {
+        final SubjectId subjectId = tokenIntegrationSubjectIdFactory.getSubjectId(dittoHeaders, jwt);
+        return ActivateSubject.of(policyId, Label.of(label), subjectId, jwt.getExpirationTime(), dittoHeaders);
+    }
+
+    private DeactivateSubject deactivateSubject(final DittoHeaders dittoHeaders, final PolicyId policyId,
+            final String label, final JsonWebToken jwt) {
+        final SubjectId subjectId = tokenIntegrationSubjectIdFactory.getSubjectId(dittoHeaders, jwt);
+        return DeactivateSubject.of(policyId, Label.of(label), subjectId, dittoHeaders);
+    }
+
     private static ResourceKey resourceKeyFromUnmatchedPath(final String resource) {
         // cut off leading "/" if there is one:
         return resource.startsWith("/")
diff --git a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/TokenIntegrationSubjectIdFactory.java b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/TokenIntegrationSubjectIdFactory.java
new file mode 100755
index 0000000000..6f0c215930
--- /dev/null
+++ b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/TokenIntegrationSubjectIdFactory.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2020 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.ditto.services.gateway.endpoints.routes.policies;
+
+import org.eclipse.ditto.model.base.headers.DittoHeaders;
+import org.eclipse.ditto.model.jwt.JsonWebToken;
+import org.eclipse.ditto.model.policies.SubjectId;
+
+/**
+ * Creator of token integration subject IDs.
+ */
+public interface TokenIntegrationSubjectIdFactory {
+
+    /**
+     * Compute the token integration subject ID from headers and JWT.
+     *
+     * @param dittoHeaders the Ditto headers.
+     * @param jwt the JWT.
+     * @return the computed subject ID.
+     */
+    SubjectId getSubjectId(final DittoHeaders dittoHeaders, final JsonWebToken jwt);
+
+}
diff --git a/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/package-info.java b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/package-info.java
new file mode 100644
index 0000000000..41a6b0354e
--- /dev/null
+++ b/services/gateway/endpoints/src/main/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/package-info.java
@@ -0,0 +1,14 @@
+/*
+ * Copyright (c) 2020 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+@org.eclipse.ditto.utils.jsr305.annotations.AllParametersAndReturnValuesAreNonnullByDefault
+package org.eclipse.ditto.services.gateway.endpoints.routes.policies;
diff --git a/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/EndpointTestBase.java b/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/EndpointTestBase.java
index 2c07b8e4a5..242e883349 100755
--- a/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/EndpointTestBase.java
+++ b/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/EndpointTestBase.java
@@ -12,6 +12,7 @@
  */
 package org.eclipse.ditto.services.gateway.endpoints;
 
+import static akka.http.javadsl.model.ContentTypes.APPLICATION_JSON;
 import static java.util.Objects.requireNonNull;
 
 import java.util.Collections;
@@ -33,6 +34,7 @@
 import org.eclipse.ditto.model.base.json.Jsonifiable;
 import org.eclipse.ditto.model.things.ThingId;
 import org.eclipse.ditto.services.base.config.http.DefaultHttpProxyConfig;
+import org.eclipse.ditto.services.gateway.endpoints.routes.RootRouteExceptionHandler;
 import org.eclipse.ditto.services.gateway.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider;
 import org.eclipse.ditto.services.gateway.security.authentication.jwt.JwtAuthenticationFactory;
 import org.eclipse.ditto.services.gateway.security.authentication.jwt.JwtAuthorizationSubjectsProviderFactory;
@@ -74,8 +76,11 @@
 import akka.actor.ActorRef;
 import akka.actor.ActorSystem;
 import akka.actor.Props;
+import akka.http.javadsl.model.HttpEntities;
 import akka.http.javadsl.model.HttpRequest;
+import akka.http.javadsl.model.HttpResponse;
 import akka.http.javadsl.model.StatusCodes;
+import akka.http.javadsl.server.Route;
 import akka.http.javadsl.testkit.JUnitRouteTest;
 import akka.http.javadsl.testkit.TestRouteResult;
 import akka.japi.pf.ReceiveBuilder;
@@ -121,8 +126,9 @@ public static void initTestFixture() {
         publicHealthConfig = DefaultPublicHealthConfig.of(gatewayScopedConfig);
         protocolConfig = DefaultProtocolConfig.of(dittoScopedConfig);
         cloudEventsConfig = DefaultCloudEventsConfig.of(gatewayScopedConfig);
-        httpClientFacade = DefaultHttpClientFacade.getInstance(ActorSystem.create(EndpointTestBase.class.getSimpleName()),
-                DefaultHttpProxyConfig.ofProxy(DefaultScopedConfig.empty("/")));
+        httpClientFacade =
+                DefaultHttpClientFacade.getInstance(ActorSystem.create(EndpointTestBase.class.getSimpleName()),
+                        DefaultHttpProxyConfig.ofProxy(DefaultScopedConfig.empty("/")));
         authorizationSubjectsProviderFactory = DittoJwtAuthorizationSubjectsProvider::of;
         jwtAuthenticationFactory = JwtAuthenticationFactory.newInstance(authConfig.getOAuthConfig(), cacheConfig,
                 httpClientFacade, authorizationSubjectsProviderFactory);
@@ -177,6 +183,15 @@ protected HttpRequest withStatusCredentials(final HttpRequest httpRequest) {
         return httpRequest.addCredentials(EndpointTestConstants.STATUS_CREDENTIALS);
     }
 
+    protected Route handleExceptions(final Supplier<Route> inner) {
+        return handleExceptions(
+                RootRouteExceptionHandler.getInstance(exception ->
+                        HttpResponse.create().withStatus(exception.getStatusCode().toInt())
+                                .withEntity(HttpEntities.create(APPLICATION_JSON, exception.toJsonString()))
+                ),
+                inner);
+    }
+
     protected static void assertWebsocketUpgradeExpectedResult(final TestRouteResult result) {
         result.assertStatusCode(StatusCodes.BAD_REQUEST);
         result.assertEntity("Expected WebSocket Upgrade request");
diff --git a/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRouteTest.java b/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRouteTest.java
index 05f4aa64f7..a4b5865396 100755
--- a/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRouteTest.java
+++ b/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/RootRouteTest.java
@@ -37,7 +37,6 @@
 import org.eclipse.ditto.services.gateway.endpoints.EndpointTestBase;
 import org.eclipse.ditto.services.gateway.endpoints.EndpointTestConstants;
 import org.eclipse.ditto.services.gateway.endpoints.directives.HttpsEnsuringDirective;
-import org.eclipse.ditto.services.gateway.endpoints.directives.auth.DevOpsBasicAuthenticationDirective;
 import org.eclipse.ditto.services.gateway.endpoints.directives.auth.DevopsAuthenticationDirective;
 import org.eclipse.ditto.services.gateway.endpoints.directives.auth.DevopsAuthenticationDirectiveFactory;
 import org.eclipse.ditto.services.gateway.endpoints.directives.auth.DittoGatewayAuthenticationDirectiveFactory;
@@ -45,6 +44,7 @@
 import org.eclipse.ditto.services.gateway.endpoints.routes.cloudevents.CloudEventsRoute;
 import org.eclipse.ditto.services.gateway.endpoints.routes.devops.DevOpsRoute;
 import org.eclipse.ditto.services.gateway.endpoints.routes.health.CachingHealthRoute;
+import org.eclipse.ditto.services.gateway.endpoints.routes.policies.OAuthTokenIntegrationSubjectIdFactory;
 import org.eclipse.ditto.services.gateway.endpoints.routes.policies.PoliciesRoute;
 import org.eclipse.ditto.services.gateway.endpoints.routes.sse.ThingsSseRouteBuilder;
 import org.eclipse.ditto.services.gateway.endpoints.routes.stats.StatsRoute;
@@ -161,14 +161,17 @@ public void setUp() {
                 .cachingHealthRoute(new CachingHealthRoute(statusAndHealthProvider, publicHealthConfig))
                 .devopsRoute(new DevOpsRoute(proxyActor, actorSystem, httpConfig, commandConfig,
                         headerTranslator, devOpsAuthenticationDirective))
-                .policiesRoute(new PoliciesRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator))
+                .policiesRoute(new PoliciesRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator,
+                        OAuthTokenIntegrationSubjectIdFactory.of(authConfig.getOAuthConfig())))
                 .sseThingsRoute(ThingsSseRouteBuilder.getInstance(proxyActor, streamingConfig, proxyActor))
                 .thingsRoute(new ThingsRoute(proxyActor, actorSystem, httpConfig, commandConfig, messageConfig,
                         claimMessageConfig, headerTranslator))
                 .thingSearchRoute(
                         new ThingSearchRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator))
                 .whoamiRoute(new WhoamiRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator))
-                .cloudEventsRoute(new CloudEventsRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator, cloudEventsConfig))
+                .cloudEventsRoute(
+                        new CloudEventsRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator,
+                                cloudEventsConfig))
                 .websocketRoute(WebSocketRoute.getInstance(proxyActor, streamingConfig, materializer))
                 .supportedSchemaVersions(httpConfig.getSupportedSchemaVersions())
                 .protocolAdapterProvider(protocolAdapterProvider)
diff --git a/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/DummyJwt.java b/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/DummyJwt.java
new file mode 100644
index 0000000000..9eccb2599c
--- /dev/null
+++ b/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/DummyJwt.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2020 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.ditto.services.gateway.endpoints.routes.policies;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.List;
+
+import org.eclipse.ditto.json.JsonObject;
+import org.eclipse.ditto.model.jwt.Audience;
+import org.eclipse.ditto.model.jwt.JsonWebToken;
+
+/**
+ * Dummy JSON web token for tests.
+ */
+final class DummyJwt implements JsonWebToken {
+
+    static final Instant EXPIRY = Instant.now().plus(Duration.ofDays(1));
+
+    @Override
+    public String getToken() {
+        return "token";
+    }
+
+    @Override
+    public JsonObject getHeader() {
+        return JsonObject.empty();
+    }
+
+    @Override
+    public JsonObject getBody() {
+        return JsonObject.newBuilder()
+                .set("sub", "dummy-subject")
+                .set("iss", "dummy-issuer")
+                .build();
+    }
+
+    @Override
+    public String getKeyId() {
+        return "dummy-key-id";
+    }
+
+    @Override
+    public String getIssuer() {
+        return "dummy-issuer";
+    }
+
+    @Override
+    public String getSignature() {
+        return "dummy-signature";
+    }
+
+    @Override
+    public List<String> getSubjects() {
+        return List.of("dummy-subject");
+    }
+
+    @Override
+    public Audience getAudience() {
+        return Audience.empty();
+    }
+
+    @Override
+    public String getAuthorizedParty() {
+        return "dummy-authorized-party";
+    }
+
+    @Override
+    public List<String> getScopes() {
+        return List.of("dummy-scope");
+    }
+
+    @Override
+    public Instant getExpirationTime() {
+        return EXPIRY;
+    }
+
+    @Override
+    public boolean isExpired() {
+        return false;
+    }
+}
\ No newline at end of file
diff --git a/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PoliciesRouteTest.java b/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PoliciesRouteTest.java
new file mode 100644
index 0000000000..f522374d2f
--- /dev/null
+++ b/services/gateway/endpoints/src/test/java/org/eclipse/ditto/services/gateway/endpoints/routes/policies/PoliciesRouteTest.java
@@ -0,0 +1,219 @@
+/*
+ * Copyright (c) 2020 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.ditto.services.gateway.endpoints.routes.policies;
+
+import static akka.http.javadsl.model.ContentTypes.APPLICATION_JSON;
+
+import java.util.List;
+
+import org.eclipse.ditto.model.base.auth.AuthorizationContext;
+import org.eclipse.ditto.model.base.auth.AuthorizationSubject;
+import org.eclipse.ditto.model.base.auth.DittoAuthorizationContextType;
+import org.eclipse.ditto.model.base.headers.DittoHeaders;
+import org.eclipse.ditto.model.policies.Label;
+import org.eclipse.ditto.model.policies.PolicyActionFailedException;
+import org.eclipse.ditto.model.policies.PolicyId;
+import org.eclipse.ditto.model.policies.SubjectId;
+import org.eclipse.ditto.services.gateway.endpoints.EndpointTestBase;
+import org.eclipse.ditto.services.gateway.security.authentication.AuthenticationResult;
+import org.eclipse.ditto.services.gateway.security.authentication.DefaultAuthenticationResult;
+import org.eclipse.ditto.services.gateway.security.authentication.jwt.JwtAuthenticationResult;
+import org.eclipse.ditto.services.utils.protocol.ProtocolAdapterProvider;
+import org.eclipse.ditto.signals.commands.policies.modify.ActivateSubject;
+import org.eclipse.ditto.signals.commands.policies.modify.ActivateSubjects;
+import org.eclipse.ditto.signals.commands.policies.modify.DeactivateSubject;
+import org.eclipse.ditto.signals.commands.policies.modify.DeactivateSubjects;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestName;
+
+import akka.actor.ActorSystem;
+import akka.http.javadsl.model.HttpRequest;
+import akka.http.javadsl.model.StatusCodes;
+import akka.http.javadsl.testkit.TestRoute;
+
+/**
+ * Tests {@link PoliciesRoute}.
+ */
+public final class PoliciesRouteTest extends EndpointTestBase {
+
+    private static final String DUMMY_POLICY = "{\n" +
+            "    \"entries\": {\n" +
+            "      \"the_label\": {\n" +
+            "        \"subjects\": {\n" +
+            "          \"google:the_subjectid\": {\n" +
+            "            \"type\": \"yourSubjectTypeDescription\"\n" +
+            "          }\n" +
+            "        },\n" +
+            "        \"resources\": {\n" +
+            "          \"thing:/the_resource_path\": {\n" +
+            "            \"grant\": [\n" +
+            "              \"READ\",\n" +
+            "              \"WRITE\"\n" +
+            "            ],\n" +
+            "            \"revoke\": []\n" +
+            "          }\n" +
+            "        }\n" +
+            "      }\n" +
+            "    }\n" +
+            "  }";
+
+    @Rule
+    public final TestName testName = new TestName();
+
+    private DittoHeaders dittoHeaders;
+    private PoliciesRoute policiesRoute;
+
+    @Before
+    public void setUp() {
+        final ActorSystem actorSystem = system();
+        final ProtocolAdapterProvider adapterProvider = ProtocolAdapterProvider.load(protocolConfig, actorSystem);
+
+        policiesRoute = new PoliciesRoute(createDummyResponseActor(), actorSystem, httpConfig, commandConfig,
+                adapterProvider.getHttpHeaderTranslator(),
+                OAuthTokenIntegrationSubjectIdFactory.of(authConfig.getOAuthConfig()));
+
+        dittoHeaders = DittoHeaders.newBuilder().correlationId(testName.getMethodName()).build();
+
+    }
+
+    @Test
+    public void putPolicy() {
+        getRoute(getPreAuthResult()).run(HttpRequest.PUT("/policies/org.eclipse.ditto%3Adummy")
+                .withEntity(APPLICATION_JSON, DUMMY_POLICY))
+                .assertStatusCode(StatusCodes.OK);
+    }
+
+    @Test
+    public void getPolicy() {
+        getRoute(getPreAuthResult()).run(HttpRequest.GET("/policies/org.eclipse.ditto%3Adummy"))
+                .assertStatusCode(StatusCodes.OK);
+    }
+
+    @Test
+    public void deletePolicy() {
+        getRoute(getPreAuthResult()).run(HttpRequest.DELETE("/policies/org.eclipse.ditto%3Adummy"))
+                .assertStatusCode(StatusCodes.OK);
+    }
+
+    @Test
+    public void postPolicy() {
+        getRoute(getPreAuthResult()).run(HttpRequest.POST("/policies")
+                .withEntity(APPLICATION_JSON, DUMMY_POLICY))
+                .assertStatusCode(StatusCodes.NOT_FOUND);
+    }
+
+    @Test
+    public void activateSubjectsWithPreAuthentication() {
+        getRoute(getPreAuthResult()).run(HttpRequest.POST("/policies/ns%3An/actions/activateTokenIntegration/"))
+                .assertStatusCode(StatusCodes.BAD_REQUEST)
+                .assertEntity(PolicyActionFailedException.newBuilderForInappropriateAuthenticationMethod(
+                        "activateTokenIntegration")
+                        .build()
+                        .toJsonString());
+    }
+
+    @Test
+    public void deactivateSubjectsWithPreAuthentication() {
+        getRoute(getPreAuthResult()).run(HttpRequest.POST("/policies/ns%3An/actions/deactivateTokenIntegration"))
+                .assertStatusCode(StatusCodes.BAD_REQUEST)
+                .assertEntity(PolicyActionFailedException.newBuilderForInappropriateAuthenticationMethod(
+                        "deactivateTokenIntegration")
+                        .build()
+                        .toJsonString());
+    }
+
+    @Test
+    public void incorrectPolicyActionMethod() {
+        getRoute(getTokenAuthResult()).run(HttpRequest.GET("/policies/ns%3An/actions/activateTokenIntegration/"))
+                .assertStatusCode(StatusCodes.METHOD_NOT_ALLOWED);
+    }
+
+    @Test
+    public void nonexistentPolicyAction() {
+        getRoute(getTokenAuthResult()).run(HttpRequest.POST("/policies/ns%3An/actions/justDoIt"))
+                .assertStatusCode(StatusCodes.NOT_FOUND);
+    }
+
+    @Test
+    public void activateTokenIntegration() {
+        getRoute(getTokenAuthResult()).run(HttpRequest.POST("/policies/ns%3An/actions/activateTokenIntegration/"))
+                .assertStatusCode(StatusCodes.OK)
+                .assertEntity(ActivateSubjects.of(PolicyId.of("ns:n"),
+                        SubjectId.newInstance("integration:{{policy-entry:label}}:dummy-issuer:dummy-subject"),
+                        DummyJwt.EXPIRY,
+                        List.of(),
+                        DittoHeaders.empty()
+                ).toJsonString());
+    }
+
+    @Test
+    public void deactivateTokenIntegration() {
+        getRoute(getTokenAuthResult()).run(HttpRequest.POST("/policies/ns%3An/actions/deactivateTokenIntegration"))
+                .assertStatusCode(StatusCodes.OK)
+                .assertEntity(DeactivateSubjects.of(PolicyId.of("ns:n"),
+                        SubjectId.newInstance("integration:{{policy-entry:label}}:dummy-issuer:dummy-subject"),
+                        List.of(),
+                        DittoHeaders.empty()
+                ).toJsonString());
+    }
+
+    private TestRoute getRoute(final AuthenticationResult authResult) {
+        return testRoute(handleExceptions(() ->
+                extractRequestContext(ctx ->
+                        policiesRoute.buildPoliciesRoute(ctx, dittoHeaders, authResult))
+        ));
+    }
+
+    @Test
+    public void activateTokenIntegrationForEntry() {
+        getRoute(getTokenAuthResult()).run(HttpRequest.POST(
+                "/policies/ns%3An/entries/label/actions/activateTokenIntegration/"))
+                .assertStatusCode(StatusCodes.OK)
+                .assertEntity(ActivateSubject.of(PolicyId.of("ns:n"),
+                        Label.of("label"),
+                        SubjectId.newInstance("integration:{{policy-entry:label}}:dummy-issuer:dummy-subject"),
+                        DummyJwt.EXPIRY,
+                        DittoHeaders.empty()
+                ).toJsonString());
+    }
+
+    @Test
+    public void deactivateTokenIntegrationForEntry() {
+        getRoute(getTokenAuthResult()).run(HttpRequest.POST(
+                "/policies/ns%3An/entries/label/actions/deactivateTokenIntegration"))
+                .assertStatusCode(StatusCodes.OK)
+                .assertEntity(DeactivateSubject.of(PolicyId.of("ns:n"),
+                        Label.of("label"),
+                        SubjectId.newInstance("integration:{{policy-entry:label}}:dummy-issuer:dummy-subject"),
+                        DittoHeaders.empty()
+                ).toJsonString());
+    }
+
+    private static AuthorizationContext getDummyAuthorizationContext() {
+        return AuthorizationContext.newInstance(
+                DittoAuthorizationContextType.PRE_AUTHENTICATED_HTTP,
+                AuthorizationSubject.newInstance("ditto:ditto")
+        );
+    }
+
+    private static AuthenticationResult getPreAuthResult() {
+        return DefaultAuthenticationResult.successful(DittoHeaders.empty(), getDummyAuthorizationContext());
+    }
+
+    private static JwtAuthenticationResult getTokenAuthResult() {
+        return JwtAuthenticationResult.successful(DittoHeaders.empty(), getDummyAuthorizationContext(),
+                new DummyJwt());
+    }
+}
\ No newline at end of file
diff --git a/services/gateway/security/src/main/java/org/eclipse/ditto/services/gateway/security/authentication/AuthenticationResult.java b/services/gateway/security/src/main/java/org/eclipse/ditto/services/gateway/security/authentication/AuthenticationResult.java
index d60963afda..896fd3357e 100644
--- a/services/gateway/security/src/main/java/org/eclipse/ditto/services/gateway/security/authentication/AuthenticationResult.java
+++ b/services/gateway/security/src/main/java/org/eclipse/ditto/services/gateway/security/authentication/AuthenticationResult.java
@@ -37,7 +37,6 @@ public interface AuthenticationResult {
      * @throws java.lang.RuntimeException the reason of failure if this method is called when {@link #isSuccess()}
      * evaluates to {@code false}.
      */
-    @Nullable
     AuthorizationContext getAuthorizationContext();
 
     /**
@@ -56,7 +55,6 @@ public interface AuthenticationResult {
      * @throws java.lang.IllegalStateException if this methods is called when {@link #isSuccess()} evaluates to
      * {@code true}.
      */
-    @Nullable
     Throwable getReasonOfFailure();
 
 }
diff --git a/services/gateway/security/src/main/java/org/eclipse/ditto/services/gateway/security/authentication/jwt/JwtPlaceholder.java b/services/gateway/security/src/main/java/org/eclipse/ditto/services/gateway/security/authentication/jwt/JwtPlaceholder.java
new file mode 100644
index 0000000000..a2e711536b
--- /dev/null
+++ b/services/gateway/security/src/main/java/org/eclipse/ditto/services/gateway/security/authentication/jwt/JwtPlaceholder.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2020 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+package org.eclipse.ditto.services.gateway.security.authentication.jwt;
+
+import static org.eclipse.ditto.model.base.common.ConditionChecker.argumentNotEmpty;
+import static org.eclipse.ditto.model.base.common.ConditionChecker.checkNotNull;
+
+import java.util.List;
+import java.util.Optional;
+
+import org.eclipse.ditto.json.JsonValue;
+import org.eclipse.ditto.model.jwt.JsonWebToken;
+import org.eclipse.ditto.model.placeholders.Placeholder;
+
+/**
+ * The placeholder that replaces {@code jwt:<body-claim>}.
+ */
+public final class JwtPlaceholder implements Placeholder<JsonWebToken> {
+
+    private static final JwtPlaceholder INSTANCE = new JwtPlaceholder();
+
+    /**
+     * Get the instance of {@code JwtPlaceholder}.
+     *
+     * @return the instance.
+     */
+    public static JwtPlaceholder getInstance() {
+        return INSTANCE;
+    }
+
+    @Override
+    public String getPrefix() {
+        return "jwt";
+    }
+
+    @Override
+    public List<String> getSupportedNames() {
+        return List.of();
+    }
+
+    @Override
+    public boolean supports(final String name) {
+        return true;
+    }
+
+    @Override
+    public Optional<String> resolve(final JsonWebToken jwt, final String placeholder) {
+        argumentNotEmpty(placeholder, "placeholder");
+        checkNotNull(jwt, "jwt");
+        return jwt.getBody().getValue(placeholder).map(JsonValue::formatAsString);
+    }
+
+}
diff --git a/services/gateway/starter/src/main/java/org/eclipse/ditto/services/gateway/starter/GatewayRootActor.java b/services/gateway/starter/src/main/java/org/eclipse/ditto/services/gateway/starter/GatewayRootActor.java
index c3855ef2d9..0ebd4bd8ec 100755
--- a/services/gateway/starter/src/main/java/org/eclipse/ditto/services/gateway/starter/GatewayRootActor.java
+++ b/services/gateway/starter/src/main/java/org/eclipse/ditto/services/gateway/starter/GatewayRootActor.java
@@ -27,6 +27,7 @@
 import org.eclipse.ditto.services.gateway.endpoints.routes.cloudevents.CloudEventsRoute;
 import org.eclipse.ditto.services.gateway.endpoints.routes.devops.DevOpsRoute;
 import org.eclipse.ditto.services.gateway.endpoints.routes.health.CachingHealthRoute;
+import org.eclipse.ditto.services.gateway.endpoints.routes.policies.OAuthTokenIntegrationSubjectIdFactory;
 import org.eclipse.ditto.services.gateway.endpoints.routes.policies.PoliciesRoute;
 import org.eclipse.ditto.services.gateway.endpoints.routes.sse.ThingsSseRouteBuilder;
 import org.eclipse.ditto.services.gateway.endpoints.routes.stats.StatsRoute;
@@ -273,7 +274,8 @@ private static Route createRoute(final ActorSystem actorSystem,
                         new CachingHealthRoute(statusAndHealthProvider, gatewayConfig.getPublicHealthConfig()))
                 .devopsRoute(new DevOpsRoute(proxyActor, actorSystem, httpConfig, commandConfig,
                         headerTranslator, devopsAuthenticationDirective))
-                .policiesRoute(new PoliciesRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator))
+                .policiesRoute(new PoliciesRoute(proxyActor, actorSystem, httpConfig, commandConfig, headerTranslator,
+                        OAuthTokenIntegrationSubjectIdFactory.of(authConfig.getOAuthConfig())))
                 .sseThingsRoute(ThingsSseRouteBuilder.getInstance(streamingActor, streamingConfig, pubSubMediator)
                         .withProxyActor(proxyActor)
                         .withSignalEnrichmentProvider(signalEnrichmentProvider))
diff --git a/services/gateway/starter/src/main/resources/gateway.conf b/services/gateway/starter/src/main/resources/gateway.conf
index e3ed16262b..86756b7d62 100755
--- a/services/gateway/starter/src/main/resources/gateway.conf
+++ b/services/gateway/starter/src/main/resources/gateway.conf
@@ -176,7 +176,7 @@ ditto {
         }
 
         # template for subject to inject
-        token-integration-subject = "integration:{{policy-entry:label}}:{{jwt:sub}}}"
+        token-integration-subject = "integration:{{policy-entry:label}}:{{jwt:iss}}:{{jwt:sub}}}"
         token-integration-subject = ${?OAUTH_TOKEN_INTEGRATION_SUBJECT}
       }
 
diff --git a/services/gateway/util/src/main/java/org/eclipse/ditto/services/gateway/util/config/security/OAuthConfig.java b/services/gateway/util/src/main/java/org/eclipse/ditto/services/gateway/util/config/security/OAuthConfig.java
index 81d7c6f5c4..4d82d156c9 100644
--- a/services/gateway/util/src/main/java/org/eclipse/ditto/services/gateway/util/config/security/OAuthConfig.java
+++ b/services/gateway/util/src/main/java/org/eclipse/ditto/services/gateway/util/config/security/OAuthConfig.java
@@ -61,7 +61,8 @@ enum OAuthConfigValue implements KnownConfigValue {
         PROTOCOL("protocol", "https"),
         OPENID_CONNECT_ISSUERS("openid-connect-issuers", Collections.emptyMap()),
         OPENID_CONNECT_ISSUERS_EXTENSION("openid-connect-issuers-extension", Collections.emptyMap()),
-        TOKEN_INTEGRATION_SUBJECT("token-integration-subject", "integration:{{policy-entry:label}}:{{jwt:sub}}");
+        TOKEN_INTEGRATION_SUBJECT("token-integration-subject",
+                "integration:{{policy-entry:label}}:{{jwt:iss}}:{{jwt:sub}}");
 
         private final String path;
         private final Object defaultValue;
diff --git a/services/gateway/util/src/test/java/org/eclipse/ditto/services/gateway/util/config/security/DefaultOAuthConfigTest.java b/services/gateway/util/src/test/java/org/eclipse/ditto/services/gateway/util/config/security/DefaultOAuthConfigTest.java
index bd4528f7a6..f18a502dec 100644
--- a/services/gateway/util/src/test/java/org/eclipse/ditto/services/gateway/util/config/security/DefaultOAuthConfigTest.java
+++ b/services/gateway/util/src/test/java/org/eclipse/ditto/services/gateway/util/config/security/DefaultOAuthConfigTest.java
@@ -77,7 +77,7 @@ public void underTestReturnsDefaultValuesIfBaseConfigWasEmpty() {
                 .isEqualTo(OAuthConfig.OAuthConfigValue.OPENID_CONNECT_ISSUERS_EXTENSION.getDefaultValue());
 
         softly.assertThat(underTest.getTokenIntegrationSubject())
-                .isEqualTo("integration:{{policy-entry:label}}:{{jwt:sub}}");
+                .isEqualTo("integration:{{policy-entry:label}}:{{jwt:iss}}:{{jwt:sub}}");
     }
 
     @Test