Child pages
  • Generate Access Tokens to Authenticate APIs

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

An access token is a simple string that is passed as an HTTP header of a request. For example, "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a." Access tokens authenticate API users and applications, and ensure better security (e.g., prevent DoS attacks). If a token that is passed with a request is invalid, the request is discarded in the first stage of processing. Access tokens work equally well for SOAP and REST calls.

There are two types of access tokens:

  • Application Access Tokens : Tokens to authenticate an application, which is a logical collection of APIs. You to access all APIs associated with an application using a single token, and also subscribe multiple times to a single API with different SLA levels. Application access tokens leverage OAuth2 to provide simple key management.
  • User Access Tokens : Tokens to authenticate the final user of an API. User access tokens allow users to invoke an API even from a third-party application like a mobile app.

The sections below show how to generate and renew each type of access token:

Table of Contents
maxLevel3
minLevel3

...

Generate/renew application access tokens

The steps below describe how to generate application access tokens:

  1. Log in to the API Store.
  2. Click the My Subscriptions from the menu bar at the top of the screen. The Subscriptions page opens, using which you can generate a production key and/or a sandbox key for testing purpose.
    The two inputs mean the following:

    Allowed Domains

    The domains from which requests are allowed to the APIs. Leave empty or enter "ALL" to allow all domains.

    , select the application from the drop-down list and click the Generate or Regenerate buttons to create and renew access tokens.
    Image Added

    Whenever an API call happens, the Gateway checks if the request originated from an allowed domain and grants access accordingly. You can specify these domains in the Allowed Domains text box. This ensures that clients from a restricted domain cannot access an API even if an application key is stolen (when the key is placed in client-side JS code).

    Info

    Tip: When the client makes a request to an API that is only allowed to some domains, the request message must have an HTTP header to specify its domain name. Sending this header is mandatory only if the API is restricted to certain domains. An admin can configure this header name using <ClientDomainHeader> element under the <APIGateway> element in <APIM_HOME>/repository/conf/api-manager.xml.

    For example, if the file contains <ClientDomainHeader>domain</ClientDomainHeader>, then the API invocation request must contain an HTTP header called domain with values as shown in the example below:


    curl -v -H "Authorization: Bearer xxx" -H "domain: wso2.com" http://localhost:8280/twitter/1.0.0/search.atom?q=cat


    Token ValidityText AreaThe period after which the token will be expired after generation. A negative value ensures that the token will never expire.

...

...

When an application access token expires, you renew it by logging into the API Store, selecting the My Subscriptions menu and and clicking Re-generate.

Image Removed

...