This documentation is for WSO2 API Manager 1.4.0 View documentation for the latest release.
Page Comparison - Token APIs (v.36 vs v.37) - API Manager 1.4.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


You can use the Token API to invoke an API through a third-party application like a mobile app. The Token API comes bundled with the API Manager by default. It requires the base64 encoded string of the consumer-key:consumer-secret combination. 

For instructions to generate an application-level access token from the API Store, see Working with Access Tokens.


  1. Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64. Encoding to base64 can be done using the URL:
    Here's an example consumer key and secret combination : wU62DjlyDBnq87GlBwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.
  2. Access the Token API by using a REST client such as the WSO2 REST Client or Curl, with the following parameters.
    • Assuming that both the client and the API Gateway are run on the same server, the token API url is https://localhost:8243/token
    • payload - "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION". Replace the <username> and <password> values as appropriate.
    • headers - Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace the <base64 encoded string> as appropriate.          

    For example, use the following cURL command to access the Token API. It generates two tokens as an access token and a refresh token. You can use the refresh token at the time a token is renewed .

    Code Block
    curl -k -d "grant_type=password&username=<username>&password=<password>&scope=PRODUCTION" -H "Authorization :Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

    The Token API endpoint is specified in the <APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml file [where _LoginAPI_.xml is the deprecated API]. When running the server with different port offsets from the default port (i.e., 9443), you need to update the endpoints defined inside the _TokenAPI_.xml and _LoginAPI_.xml files with that offset. See Changing the Default Ports with Offset.


    User access tokens have a fixed expiration time, which is set to 60 minutes by default. Before deploying the API manager to users, extend the default expiration time by editing the <AccessTokenDefaultValidityPeriod> tag in <PRODUCT_HOME>/repository/conf/identity.xml.

    When a user access token expires, the user can try regenerating the token as explained in the Renew user tokens section.