This documentation is for WSO2 API Manager 1.9.0. View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


A scope is not always used for controlling access to a resource. You can also use it to simply mark an access token. Such scopes do not have to have roles associated with them. Skipping role validation for scopes is called scope whitelisting.

To whitelist a scope, add it If you do not want a role validation for a scope in an API's request, add the scope under the APIKeyValidation element and restart the server. It will be whitelisted. For example,

Code Block

Next, invoke the Token API to get a token for the scope that you just whitelisted. For example,