WSO2 API Manager is a complete solution for publishing APIs, creating and managing a developer community and for routing API traffic in a scalable manner. It leverages the integration, security and governance components from the WSO2 Enterprise Service Bus, WSO2 Identity Server, and WSO2 Governance Registry. In addition, as it is powered by the WSO2 Business Activity Monitor (BAM), the WSO2 API Manager is ready for massively scalable deployment immediately.
This guide walks you thorough the main usecases of the API Manager:
Introduction and concepts
Let's take a look at the basic concepts that you need to know before using the API Manager:
The API manager comprises the following components:
- API Gateway : Secures, protects, manages, and scales API calls. It is a simple API proxy that intercepts API requests and applies policies such as throttling and security checks. It is also instrumental in gathering API usage statistics. The Web interface can be accessed via
- API Key Manager : Handles all security and key-related operations. API gateway connects with the key manager to check the validity of OAuth tokens when APIs are invoked . Key Manager also provides a token API to generate Oauth tokens that can be accessed via the Gateway.
- API Publisher : Enables API providers to publish APIs, share documentation, provision API keys, and gather feedback on API features, quality and usage. The Web interface can be accessed via
- API Store : Enables API consumers to self register, discover API functionality, subscribe to APIs, evaluate them and interact with API publishers. The Web interface can be accessed via
- Additionally, statistics are provided by the monitoring component, which integrates with WSO2 BAM.
Users and roles
The API manager offers three distinct community roles that are applicable to most enterprises:
- Creator : a creator is a person in a technical role who understands the technical aspects of the API (interfaces, documentation, versions, how it is exposed by API Gateway) and uses the API publisher to provision APIs into the API store. The creator uses the API Store to consult ratings and feedback provided by API users. Creator can add APIs to the store but cannot manage their lifecycle (i.e., make them visible to the outside world).
- Publisher : a publisher manages a set of APIs across the enterprise or business unit and controls the API lifecycle and monetization aspects. The publisher is also interested in usage patterns for APIs and as such has access to all API statistics.
- Consumer : a consumer uses the API store to discover APIs, see the documentation and forums and rate/comment on the APIs. S/he subscribes to APIs to obtain API keys.
An API is the published interface, while the service is the implementation running in the backend. APIs have their own lifecycles that are independent to the backend services they rely on. This lifecycle is exposed in the API publisher Web interface and is managed by the API publisher role.
The following stages are available in the default API life cycle:
- CREATED : API metadata is added to the API Store, but it is not visible to subscribers yet, nor deployed to the API gateway
- PUBLISHED : API is visible in the API Store
- DEPRECATED : API is still deployed into the API Gateway (i.e., available at runtime to existing users) but not visible to subscribers. An API can automatically be deprecated when a new version is published.
- RETIRED : API is unpublished from the API gateway and deleted from the store
- BLOCKED : Access is temporarily blocked. Runtime calls are blocked and the API is not shown in the API Store anymore.
You can manage the API and service lifecycles in the same governance registry/repository and automatically link them. This feature is available in WSO2 Governance Registry (version 4.5 onwards).
An application is primarily used to decouple the consumer from the APIs. It allows you to :
- Generate and use a single key for multiple APIs
- Subscribe multiple times to a single API with different SLA levels
You create an application to subscribe to an API. The API Manager comes with a default application and you can also create as many applications as you like.
Throttling tiers are associated to an API at subscription time. They define the throttling limits enforced by the API gateway. E.g., 10 TPS (transactions per second). You define the list of tiers that are available for a given API at the publisher level. The API Manager comes with three predefined tiers (
Gold/Silver/Bronze) and a special tier called
Unlimited, which can be disabled by editing the <TierManagement>element of <PRODUCT_HOME>/repository/conf/api-manager.xml file. To edit existing tiers or create your own tiers, see Adding New Throttling Tiers.
The API Manager supports two scenarios for authentication:
- An access token is used to identify and authenticate a whole application
- An access token is used to identify the final user of an application (for example, the final user of a mobile application deployed on many different devices)
Application access token
Application access tokens are generated by the API consumer and must be passed in
the incoming API requests. We leveraged the OAuth2 standard to provide a simple,
easy to use key management mechanism. The API key is a simple string, which must be
passed as an HTTP header ( like this:
Authorization: Bearer NtBQkXoKElu0H1a1fQ0DW
) and works equally well for SOAP and REST calls.
Application access tokens are generated at the application level and valid for all APIs
which are associated to this application. Application access tokens have a fixed expira
tion time, which is by default set to 60 minutes. You can update this expiration time to
a much longer time, such as several weeks ( FYI, 4 weeks are 2419200 seconds!) .Con
sumers have the ability to re-generate the access token directly from the API store in
The default expiration time can be changed by editing the
file and changing the value for
Importantly you can set the application access token expiration time as
Never Expired value. For that you need to set the
configuration value as a minus value