Try WSO2 Cloud for Free
Sign in

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. On the Configure menu, click External Users.

  2. Click the API Consumer Authentication tab.

  3. Click Connect your RESTful Authentication Service.

    • If you need to use an existing SAML identity provider instead, see SAML Extension Grant.
    • If you need to connect your LDAP user store instead, you can either provide the LDAP connection information and password (if LDAP is directly reachable from API Cloud) or use the Integration Cloud's connection to your directory (in which case you need to first go to Identity Cloud, download and configure the agent to hook up your directory to WSO2 Cloud. For more information, see Configuring an On-premise User Store).

    You need to implement a web service that expects a POST invocation with the following JSON payload. 

    Code Block
    	"credentials": {
    		"username": "userx",
    		"password": "mypass"

    If the end-user record is valid, the web service responds with the following,

    Code Block
    	"response": {
    		"status": "true"
    • The web service itself should be protected with a username and password.
    • If your existing authentication web service is using a different JSON format, contact WSO2 Cloud support (using the Support menu) so we can change the format on our side.
    • If the userstore is behind a firewall and cannot be exposed to the cloud directly, we support various secure ways of doing so including VPN, reverse proxy services in DMZ, etc.
  4. WSO2 adds your external user store as a secondary user store to WSO2 API Cloud and informs you. The users in this secondary user store have permission to invoke APIs in your tenant domain.

  5. Invoke the following cURL command to generate an access token for a user via the Token API. 


    Tip: The Token API allows you to generate and renew user and application access tokens. The response of the Token API is a JSON message. You extract the token from the JSON and pass it with an HTTP Authorization header to access APIs in the API Store.

    Code Block
    curl -k -d "grant_type=password&username=<username@organization_name>&password=<PASSWORD>" -H "Authorization: Basic <Base64Encoded Consumer key:consumer secret>"


    When you have connected your user store to the API Cloud via a RESTful service, you cannot generate tokens for different scopes. If you need to restrict access to different resources of your API based on scopes, you should not connect the user store via a RESTful service.


    Tip: When passing the username, take the username that the user has in your system and add "@<organization name that you have in the Cloud>" to the end.

    For example, if the username in your database is and the organization name in WSO2 Cloud is my_company, then the username that you pass in the token request should be


    Tip: To get the consumer key and consumer secret pair, go to the API Store and click Applications in on the left panel. From the list of applications click View button from relevant application and find the keys under ProductKeys or SandboxKeys accordinglyThis displays your existing applications. Next, click View on a required application and then depending on your requirement click either the Production Keys tab or Sandbox Keys tab to generate appropriate keys.

  6. Using the OAuth access token that you got in the previous step, invoke an API in the API Cloud. For example,

    Code Block
    curl -k -X GET --header 'Accept: application/xml' --header 'Authorization: Bearer <OAuth token from step 3>' ''
  7. See the actual identity of the user in your user store by examining the JWT token that is passed with each API call. The end user identity is passed in the “ ” property as shown in the example below:

    Code Block
    titleSample JWT Token