Users need access tokens to invoke APIs subscribed under an application. Access tokens are passed in the HTTP header when invoking APIs. The API Manager provides a Token API that you can use to generate and renew user and application access tokens. The response of the Token API is a JSON message. You extract the token from the JSON and pass it with an HTTP Authorization header to access the API.
The following topics explain how to generate access tokens and authorize them. WSO2 API Manager supports the four most common authorization grant types and you can also define additional types.