The API Gateway cannot create an LTPA Token. The Gateway could however broker the process by first validating the SMSession and extracting the userid, then calling out to an LTPA token generation endpoint to retrieve an LTPA token on behalf of the user. This would require the LTPA generation endpoint (an external service) to be setup to trust the API Gateway to assert the identity of the user.