Try WSO2 Cloud for Free
Sign in

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Log in to the API Cloud.

  2. In the WSO2 API Publisher, click an API (e.g., PhoneVerification 1.0.0) to open it.

  3. Click the View in Store link that appears in the Overview tab of the API. You can also go to the API Store using the URL<tenant_name>.

  4. Note the subscription options on the right-hand side of the page that opens. Select the default application, the Bronze tier and subscribe to the API.

  5. When prompted, choose to view subscriptions. 

  6. The details of the application that you used to subscribe to the API open. Click the Production Keys tab and click Generate keys.


    By default the Client Credentials grant type will be used to generate access token. Make sure the Client Credentials grant type is selected when generating keys from the UI. Refer Token API for more information on how to generate supported grant types of WSO2 API ManagerCloud.


    You can set a token validity period in the given text box. By default, it is set to one hour (3600 seconds). If you set a negative value (e.g., -1), the token will never expire.

    However, this non-expiring token too can be revoked in some situations such as changing user password, changing the client secret, calling the token revoke api, authorization service provider detects that the tokens are compromised due to a security breach etc.


    1. It is not recommended to hard-code such access tokens in client's applications on any production environment to communicate with the API Manager.
    2. You should use the recommended methods of obtaining the token by using the relevant grant type.
    3. Hard coding the token needs to be done with caution and if doing so, the application needs to be provisioned to get a new token in case the current hard-coded token is invalidated by the system.

  7. After the keys are generated, click the APIs menu in the API Store and then click the API that you want to invoke. 

  8. When the API opens, click its API Console tab.

  9. Expand the GET method, provide the required parameters and click Try it Out. For example,

    PhoneNumberE.g., 18006785432
    LicenseKeyGive 0 for testing purpose
    AuthorizationThe API console is automatically populated by the access token that you generated in step 6 after subscribing to the API. 

    The token is prefixed by the string "Bearer" as per the OAuth bearer token profile. OAuth security is enforced on all published APIs. If the application key is invalid, you get a 401 Unauthorized response in return.

    Base URL

    Appears at the bottom of the console. Using the base URL and the parameters, the system creates the API URL.


    If you cannot invoke the API's HTTPS endpoint (causes the SSLPeerUnverified exception), it could be because the security certificate issued by the server is not trusted by your browser. To resolve this issue, access the HTTPS endpoint directly from your browser and accept the security certificate.

  10. Note the response for the API invocation. As we used a valid phone number in this example, the response is valid.