- Log in to the API Store.
Click the My Subscriptions menu, select the application from the drop-down list and click the Generate or Regenerate buttons to create and renew access tokens.
Whenever an API call happens, the Gateway checks if the request originated from an allowed domain and grants access accordingly. You can specify these domains in the Allowed Domains text box. This ensures that clients from a restricted domain cannot access an API even if an application key is stolen (when the key is placed in client-side JS code).
Tip: When the client makes a request to an API that is only allowed to some domains, the request message must have an HTTP header to specify its domain name. Sending this header is mandatory only if the API is restricted to certain domains. An admin can configure this header name usingin
For example, if the file contains
<ClientDomainHeader>domain</ClientDomainHeader>, then the API invocation request must contain an HTTP header called
domainwith values as shown in the example below:
curl -v -H "Authorization: Bearer xxx" -H "domain: wso2.com" http://localhost:8280/twitter/1.0.0/search.atom?q=cat
Tip: When you generate access tokens to APIs protected by scopes, a Select Scopes button is displayed in the My Subscriptions page for you to select the scope first and then generate the token to it.
Throttling allows you to limit the number of successful hits to an API during a given period of time, typically in cases such as the following:
Tip: When you generate access tokens to APIs protected by scopes, a Select Scopes button will be displayed in the My Subscriptions page for you to select the scope first and then generate the token to it.