This documentation is for WSO2 API Manager 1.9.0. View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The API Manager comprises the following high-level components:


API Publisher

Provides an end user, collaborative Web interface for API providers to publish APIs, share documentation, provision API keys, and gather feedback on API features, quality and usage. For API Publisher use cases, see API Developer Tutorials.

API Store

Provides an end-user, collaborative Web interface for API consumers to self register, discover API functionality, subscribe to APIs, evaluate them and interact with API publishers. For API Store use cases, see Application Developer Tutorials.

API Gateway

A runtime,


backend component (an API proxy) developed using WSO2 ESB. API Gateway secures, protects, manages, and scales API calls. It intercepts API requests, applies policies such as throttling and security using handlers and manages API statistics. Upon validation of a policy, the Gateway passes Web service calls to the actual


backend. If the service call is a token request, the Gateway passes it directly to the Key Manager. 

When the API Manager is running, you can access the Gateway using the URL https://localhost:9443/carbon. You integrate a monitoring and statistics component to the API Manager without any additional configuration effort. This monitoring component integrates with WSO2 Business Activity Monitor, which can be deployed separately to analyze events. For more information, see Publishing API Runtime Statistics .  


Although the API Gateway contains ESB features, it is recommended not to use it for ESB-specific tasks. Use it only for Gateway functionality related to API invocations. For example, if you want to call external services like SAP, use a separate ESB cluster for that.


Key Manager

Handles all security and key-related operations. The Gateway connects with the key manager to check the validity of OAuth tokens when APIs are invoked. The key manager also provides a token API to generate OAuth tokens that can be accessed via the Gateway. All tokens used for validation are based on OAuth 2.0.0 protocol. Secure authorization of APIs is provided by the OAuth 2.0 standard for key management. The API Gateway supports API authentication with OAuth 2.0, and enables IT organizations to enforce rate limits and throttling policies.

When the Gateway receives API invocation calls, it similarly contacts the Key Manager service for verification. If caching is not enabled at the Gateway level, this verification call happens every time the Gateway receives an API invocation call . For this verification, the Gateway passes access token, API, API version to the Key Manager. Communication between API Gateway and Key Manager happens in either of the following ways:  

  • Through a Web service call
  • Through a Thrift call (Thrift is the default communication protocol and is much faster than SOAP over HTTP)

If your setup has a cluster of multiple Key Manager nodes that are fronted by a


load balancer that does not support Thrift, change the key management protocol from Thrift to WSClient using the <KeyValidatorClientType> element in <APIM_HOME>/repository/conf/api-manager.xml file. Thrift uses TCP load balancing





When an API is created, a file with its synapse configuration is added to the API Gateway. You can find it in the<APIM_HOME>/repository/deployment/server/synapse-configs/default/api folder. It has a set of handlers, each of which is executed on the APIs in the same order they appear in the configuration. You find the default handlers in any API's Synapse definition

For a detailed description of handlers and how to write a custom handler, see Writing Custom Handlers.


Additionally, statistics are provided by the monitoring component, which integrates with WSO2 BAM.

The components are depicted in the diagram below: