This documentation is for WSO2 API Manager 1.5.0 View documentation for the latest release.
Page Comparison - Working with Access Tokens (v.29 vs v.31) - API Manager 1.5.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3


  1. Log in to the API Store (https://<hostname>:9443/store).
  2. Click My Subscriptions from the menu bar at the top of the screen.
  3. The Subscriptions page opens with the following options:
    Image Added
    Generate button: Use the Generate button associated with each type of key to generate an access token. It generates an application key and also a consumer key and a consumer secret. For testing purposes, you also can create a sandbox key.

    Allowed Domains Text Area:
    Allows you to associate a set of domains, as a comma separated list, to a token. API Gateway allows requests to the APIs from those domains only. Others will be restricted. Leave this field blank to allow all domains.

    With this allowed domains feature, a client from a different domain cannot access an API even if an application key is stolen (when the key is placed in client side JS code). Whenever an API call happens, the Gateway checks if the request originated from an allowed list of domains. This is the same solution done in Google Maps.

    When the client makes a request to an API that is only allowed to some domains, the request message must have an HTTP header to specify its domain name. APIM admin can configure this header name using <ClientDomainHeader> element under the <APIGateway> element in <APIM_HOME>/repository/conf/api-manager.xml. For example, if the file contains <ClientDomainHeader>domain</ClientDomainHeader>, then the API invocation request must contain an HTTP header called domain with values as shown in the example below:
    curl -v -H "Authorization: Bearer xxx" -H "domain:" http://localhost:8280/twitter/1.0.0/search.atom?q=cat

    Sending this header is mandatory only if the API is restricted to certain domains.

    Token Validity
    Text Area: Set a period in which the token will be expired after generation. Set to a negative value to ensure that the token never expires. Also see Changing the default token expiration time.


When an application access token expires, consumers can refresh the token by logging into API Store, selecting the My Subscriptions link at the top of the screen, and clicking Re-generate. You can also specify a token expiration time for the application access token or change its allowed domains. Set to a negative value to ensure that the token never expires.

Image RemovedImage Added

Renewing user access token