With WSO2 API Manager, you can maintain a production and a sandbox endpoint for a given API. The production endpoint is the actual location of the API, whereas the sandbox endpoint points to its testing/pre-production environment.
When you publish an API using the API Publisher, it gets deployed on the API Gateway. By default, there's a single Gateway instance (deployed either externally or embedded within the publisher). This Gateway instance handles both production and sandbox token traffic. Therefore, it is called a Hybrid API Gateway. When an API request comes to the API Gateway, it checks whether the requesting token is of type PRODUCTION or SANDBOX and forwards the request to the appropriate endpoint. The diagram below depicts this scenario.
Figure: Both production and sandbox API requests are handled through a single Gateway (default scenario)
Having a single gateway instance to pass through both production and API testing requests can negatively impact the performance of the production server. To avoid this, you can set up two separate API Gateways. One to pass through production traffic and the other for sandbox traffic.
Figure: Two Gateways to handle production and sandbox API requests separately
In this approach, the production API Gateway handles requests that are made using PRODUCTION type tokens and the sandbox API Gateway handles requests that are made using SANDBOX type tokens.
In either of the two approaches, if an API Gateway receives an invalid token, it returns an error to the requesting client saying that the token is invalid. The
<APIGateway> element of the
<PRODUCT_HOME>/repository/conf/api-manager.xml file contains details of how to configure the API Publisher to publish APIs to different Gateways.