This documentation is for WSO2 API Manager 1.10.0 View documentation for the latest release.
Page Comparison - Extending Scope Validation (v.32 vs v.33) - API Manager 1.10.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Linked to definition on scope whitelisting


When scopes which cannot be associated to roles are requested, the token should be issued without validating the scope. In WSO2 API Manager, you do this by whitelisting the scope through configuration. Patterns of the whitelisted scopes are specified via a configuration under the APIKeyValidator element in the <APIM_HOME>/repository/conf/api-manager.xml file. Scopes that match the pattern are not validated by role and are available to anyone requesting it.


  1. Start the API Manager server and log into the API Store.
  2. Create an application. On the My Subscriptions tab for your application, click Generate Keys.
  3. Get the consumer key and consumer secret and create a command to call the token API.


    You can simply click the cURL button and select the relevant grant type.


  4. Get the token by calling the token API.


    Make sure you include a random scope in the request.

    Code Block
    curl -k -d "grant_type=password&username=admin&password=admin&scope=some_random_scope" -H "Authorization: Basic WmRFUFBvZmZwYVFnR25ScG5iZldtcUtSS3IwYTpSaG5ocEVJYUVCMEN3T1FReWpiZTJwaDBzc1Vh" -H "Content-Type: application/x-www-form-urlencoded"

    Along with the token, you receive a response from the server similar to the one below.

    Code Block

    You may not see the scope you requested for in this response as it has not been whitelisted yet.

  5. Shut down the server.

  6. To whitelist the scope, add the following under the <APIKeyValidator> element in the <APIM_HOME>/repository/conf/api-manager.xml file and restart the server.

    Code Block
  7. Call the token API using the same request used in step 4. You will receive a response similar to the one below.

    Code Block

    You see a successful response along with the whitelisted scope for which you requested.