A runtime, backend component (an API proxy) developed using WSO2 ESB. API Gateway secures, protects, manages, and scales API calls. It intercepts API requests, applies policies such as throttling and security using handlers and manages API statistics. Upon validation of a policy, the Gateway passes Web service calls to the actual backend. If the service call is a token request, the Gateway passes it directly to the Key ValidatorManager.
When the API Manager is running, you can access the Gateway using the URL You integrate a monitoring and statistics component to the API Manager without any additional configuration effort. This monitoring component integrates with WSO2 Business Activity Monitor, which can be deployed separately to analyze events. For more information, see Publishing API Runtime Statistics.
Although the API Gateway contains ESB features, it is recommended not to use it for ESB-specific tasks. Use it only for Gateway functionality related to API invocations. For example, if you want to call external services like SAP, use a separate ESB cluster for that.
Handles all security and key-related operations. The Gateway connects with the Key Validator Manager to check the validity of OAuth tokens, subscriptions, API invocations etc. The Key Validator Manager also provides a token API to generate OAuth tokens that can be accessed via the Gateway. All tokens used for validation are based on the OAuth 2.0.0 protocol. Secure authorization of APIs is provided by the OAuth 2.0 standard for key management. The API Gateway supports API authentication with OAuth 2.0, and enables IT organizations to enforce rate limits and throttling policies.
When the Gateway receives API invocation calls, it similarly contacts the Key Validator Manager service for verification. If is not enabled at the Gateway level, this verification call happens every time the Gateway receives an API invocation call. For this verification, the Gateway passes an access token, the API, API version to the Key ValidatorManager. Communication between the API Gateway and the Key Validator Manager happens in either of the following ways:
If your setup has a cluster of multiple Key Validator Manager nodes that are fronted by a load balancer that does not support Thrift, change the key management protocol from Thrift to WSClient using the the
<KeyValidatorClientType> element in . Thrift uses TCP load balancing.
If you are using a distributed API Manager setup (i.e., Publisher, Store, Gateway and Key Validator Manager components are running on separate JVMs), edit the template in the Publisher node.
For information on configuring caching response messages and caching API calls at the Gateway and Key Validator Manager server, see Configuring Caching.