You can set the response content type by navigating to the Manage tab, when creating an API, and select the corresponding authentication from the "Application & Application user" drop-down list, which corresponds to the respective resource.
The authentication type can be one of the following:
None: You can select this option to create a non-authenticated API. This will remove the authentication requirements for regular managed APIs, so that the API Gateway skips the authentication process. This is useful in instances when you want to still have the API listed on the API Store home screen and/or when you want to disable authentication requirement for individual resources of an API.
Application: The authentication is done by the application and the resource accepts application access tokens. Therefore, if you select this option, the API will require OAuth tokens generated with a client grant type that produces tokens specific to the subscription, but not the end-users. Therefore, if there is a web or mobile application that has subscribed to this API and it has multiple end-users, then they will all share the same token and the API backend will not know which end-user invoked the API.
- Application User: Authentication is done by the application user and the resource accepts user access tokens. Therefore, if you select this option, the API accepts the OAuth tokens that are generated with the password grant type. These tokens are specific to the end-user, because they not just require the application key, but also the end-user’s username and password. In this case, each end-user gets their own OAuth tokens even though they are using the same API subscription. The API Gateway then generates a JWT token and uses it to pass application and user information to the API backend.
- Application and Application User: Both application and application user level authentication is applied. Thereby, both kinds of tokens are acceptable by the API.
Note that if you select this option in the UI, it appears as Any in the API Manager's internal data storage and data representation, and Any will appear in the response messages as well.
Note that for the resources that have HTTP verbs (GET, POST etc.) requiring authentication (i.e., Auth Type is not NONE), set None as the Auth type of OPTIONS . This is to support CORS (Cross Origin Resource Sharing) between the API Store and Gateway.
The auth type is cached in the API Manager for better performance. If you change the auth type through the UI, it takes about 15 minutes to refresh the cache. During that time, the server returns the old auth type from the cache. If you want the changes to be reflected immediately, please restart the server after changing the auth type.