This documentation is for WSO2 API Manager 1.10.0 View documentation for the latest release.
Page Comparison - Token API (v.3 vs v.9) - API Manager 1.10.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Users need access tokens to invoke APIs subscribed under an application. Access tokens are passed in the HTTP header when invoking APIs. The API Manager provides a Token API that you can use to generate and renew user and application access tokens. The response of the Token API is a JSON message. You extract the token from the JSON and pass it with an HTTP Authorization header to access the API.

The following topics explain how to generate /renew access tokens and authorize them. WSO2 API Manager supports the four most common authorization grant types and you can also define additional types.

Children Display

Also see the followingThe following sections explain how to renew and revoke access tokens and how you can configure the token expiration time

Table of Contents

Renewing access tokens


  • The Token API URL is https://localhost:8243/token, assuming that both the client and the Gateway are run on the same server.
  • payload: "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION". Replace the <retoken> value with the refresh token generated in the previous sectionstep.
  • headers: Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace <base64 encoded string> as appropriate.          

For example, the following cURL command can be used to access the Token API.

Code Block
curl -k -v -d "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh," -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

You receive a response similar to the following:

Code Block

The above REST message grants you a renewed access token along with a refresh token, which you can use the next time you renew the access token. A refresh token can be used only once. You can configure an expiration time for the refresh token by setting it in the <RefreshTokenValidityPeriod> element in the <APIM_HOME>/repository/conf/identity/identity.xml file. 


  • The token to be revoked
  • Consumer key and consumer secret key. Must be encoded using Base64 algorithm

For example,

Code Block
curl -k -v -d "token=<ACCESS_TOKEN_TO_BE_REVOKED>" -H "Authorization:


 Basic aFNOM3k0aVFHVUNVZnZvdmFrVXE1U3ExQ1RRYTpYMmRvVFZSeFhEN1FfT2xLOWtzQlB2UkJCbFVh"Content-Type: application/x-www-form-urlencoded http://localhost:8280/revoke
titleRevoking access tokens obtained with an Implicit grant

If you obtained an access token with the Implicit grant type, you do not have to provide the client secret to revoke it. The sample cURL command to revoke an access token with Implicit grant is given below.

Code Block
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "token=<REFRESH_TOKEN_TO_BE_REVOKED>&token_type_hint=access_token&client_id=<CLIENT_ID>" http://localhost:



You receive an empty response with the HTTP status as 200. The following HTTP headers are returned:

Code Block
Revokedaccesstoken: a0d210c7a3de7d548e03f1986e9a5c39
Authorizeduser: admin@carbon.super
Revokedrefreshtoken: 5e87a8235cd4d066e15c4c989f5ecf94
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-store
Date: Tue, 23 Aug 2016 19:28:52 GMT
Transfer-Encoding: chunked

Note that if you use an invalid access token, you still receive an empty response with the HTTP status as 200 but only the following HTTP headers are returned:

Code Block
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-store
Date: Tue, 23 Aug 2016 19:31:45 GMT
Transfer-Encoding: chunked
Tip: When the API Gateway cache is enabled (it is enabled by default), even after revoking a token, it might still be available in the cache to consumers until the cache expires in approximately 15 minutes.