This documentation is for WSO2 API Manager 2.2.0. View documentation for the latest release.

All docs This doc
Skip to end of metadata
Go to start of metadata

An API creator blocks subscription to an API as a way of disabling access to it and managing its usage and monetization. A subscription blocking can be temporary or permanent. There is an unblocking facility to allow API invocations back.

You block APIs by subscriptions. That is, a given user is blocked access to a given API that s/he has subscribed to using a given application. If a user is subscribed to two APIs using the same application and you block access to only one of the APIs, s/he can still continue to invoke the other APIs that s/he subscribed to using the same application. Also, s/he can continue to access the same API subscribed to using different applications.

Using block subscription to an API, we can control only the subscriptions created for a specifc API by a user. If you want to block all API requests from a specific application/user/specific IP addresse or to a specifc API, you can use request blacklisting.

Blocking can be done at two levels:

  • Block production and sandbox access: API access is blocked with both production and sandbox keys.
  • Block production access only: Allows sandbox access only. This is useful when you want to fix and test an issue in an API. Rather than blocking all access, you can block production access only, allowing the developer to fix and test it.

When API Gateway caching is enabled (it is enabled by default), even after blocking a subscription, consumers might still be able to access APIs until the cache expires, which happens approximately every 15 minutes.

See the following topics for descriptions on the concepts that you need to know when you block subscriptions to an API:

  1. Sign in to the WSO2 API Publisher.
  2. Create two APIs by the names TestAPI1 and TestAPI2 and publish them to the WSO2 API Store.
    For more information, see Create and Publish an API.
  3. Sign in to the WSO2 API Store. Click on the APIs menu.
    Note that the two APIs are visible in the APIs page.
  4. Subscribe to both APIs using the same application.
    You can use the default application or create your own. 
  5. Click the View Subscriptions button when prompted.
    The Subscriptions tab opens.

  6. Click the Production Keys tab and click Generate Keys to create an application access token.
    If you have already generated an access token before, click Re-generate to renew the token.

  7. Invoke both APIs using the access token you received in the previous step.
    We use cURL here. The command is,

    curl -k -H "Authorization: Bearer <access_token>" '<API_URL>' 

    Be sure to replace the placeholders as follows:

    • <access_token> : Give the token generated in step 6.
    • <API_URL> : Go to the API's Overview tab in the API Store and copy the production URL and append the payload to it. 

    Here's an example:

    curl -k -H "Authorization :Bearer dda01682642ebf1285430d4d276201e5" 'https://localhost:8243/phoneverify3/1.0.0/CheckPhoneNumber?PhoneNumber=18006785432&LicenseKey=0'

    You have subscribed to two APIs and invoked them successfully. Let's block one subscription and see the outcome.

  8. Sign back in to the API Publisher and click Manage Subscriptions.
    It shows all APIs/applications that each user is subscribed to.
  9. Block subscription for TestAPI1 using the DefaultApplication by selecting the Production& Sandbox option and clicking the Block link.
    Note that the Block link immediately turns to Unblock, allowing you to activate the subscription back at any time.
  10. Sign back in to the API Store.
  11. Invoke the two APIs (TestAPI1 and TestAPI2) again.

    You might have to regenerate the access token for DefaultApplication if the access token expiration time (1 hour by default) has passed since the last time you generated it.

    Note that you can invoke TestAPI2 again, but when you invoke TestAPI1, it gives a message that the requested API is temporarily blocked. Neither the API creator nor any subscriber can invoke the API until the block is removed.

  12. Go to the Applications page in the API Store, select the application that you used to subscribe to the API.
    Note that your subscription is blocked.
  13. Go back to the API Publisher's Manage Subscriptions page and unblock the subscription. 
  14. Invoke TestAPI1 again.
    Note that you can invoke it as usual.

You have subscribed to two APIs, blocked subscription to one and tested that you cannot invoke the blocked API.

  • No labels