As APIs and microservices continue to evolve, a secure and scalable architecture is critical for protection, with token-based systems offering a robust alternative to API keys or basic authentication. This article focuses on achieving Level 3 of the API Security Maturity Model using the Phantom Token Approach, where opaque tokens are exchanged for signed JSON Web Tokens (JWTs) to ensure centralized trust using claims. The Kong Gateway plays a key role by performing token introspection and handling the exchange process, which enhances security by preventing the exposure of Personal Identifiable Information (PII) and allowing only authorized access to upstream APIs. Additionally, Open Policy Agent (OPA) can be integrated for fine-grained access control, enabling complex policy evaluation scenarios. The article provides resources and a practical setup using open-source tools like Kong Gateway and Curity Identity Server, emphasizing the importance of avoiding JWTs as public tokens to mitigate security risks and maintain system stability.