This documentation is for WSO2 API Manager 1.5.0 View documentation for the latest release.
Page Comparison - Architecture Components (v.2 vs v.3) - API Manager 1.5.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The API Key Manager component handles all security and key-related operations. When API Gateway receives API calls, it contacts the API Key Manager service to verify the validity of tokens and do security checks. When API Gateway receives calls to login, it directly forwards the calls to Key Manager server.  Users You must pass username, password, consumer key and consumer secret key with it to register their applications. All tokens used for validation are based on OAuth 2.0.0 protocol. Secure authorization of APIs is provided by the OAuth 2.0 standard for key management. The API Gateway supports API authentication with OAuth 2.0, and enables IT organizations to enforce rate limits and throttling policies.

When the API Gateway receives API invocation calls, it similarly contacts the API Key Manager service for verification. This verification call happens every time the Gateway receives an API invocation call if caching is not enabled at the Gateway level. For this verification, the Gateway passes access token, API, API version to the Key Manager.

Communication between API Gateway and Key Manager happens in either of the following ways:



Through a Web service call between Key Manager and Gateway

 Through a Thrift call Key Manager and Gateway

The following diagram depicts the collaboration of these main components with an easily-integrable monitoring and statistics component.