Skip to end of metadata
Go to start of metadata

WSO2 API Manager is a complete open source solution to manage APIs. It provides authorization and authentication for APIs using OAuth 2.0 standard. According to the OAuth specification, the client needs to get authorization from the resource owner when requesting an access token. The authorization is expressed in the form of an authorization grant, which the client uses to request the access token. There are 4 grant types defined in the OAuth core specification.

  • Authorization code
  • Implicit
  • Resource owner password credentials
  • Client credentials

Almost all scenarios explained in WSO2 API Manager online documentation makes use of the resource owner password credentials grant type. In WSO2 API Manager, access tokens are exchanged for user credentials and the client_id and client_secret.

This section explains how to use Authorization Code grant type with WSO2 API Manager.


  1. Download and install WSO2 API Manager.
  2. Install Apache Tomcat.

When calling an API hosted in WSO2 API Manager, it is necessary to associate an OAuth access token as part of the requests HTTP header to authenticate the caller.

POST http://localhost:8280/myapi/1.0.0 HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:echoInt"
Authorization: Bearer 21737b20a287fb4e207bf08bf3b17924

WSO2 API Manager consists of multiple components to provide unique functionalities required to manage the APIs hosted in it. Authorization server, which is one such components, is responsible for issuing tokens which are required to authenticate API consumers. Therefore, before making a API call, the application user should possess the relevant access token.

Obtaining the access token can be done in multiple ways. In other words, the four of the above OAuth grant types can be used to obtain access token from the authorization server. The following is required to obtain access tokens from each of the OAuth 2 grant types.

  • No labels