Generating application access tokens
The steps below describe how to generate application access tokens:
- Log in to the API Store.
Click My Subscriptions from the menu bar at the top of the screen. The Subscriptions page opens, using which you can generate a production key and/or a sandbox key for testing purpose.
The two inputs mean the following:
The domains from which requests are allowed to the APIs. Leave empty or enter "ALL" to allow all domains.
Whenever an API call happens, the Gateway checks if the request originated from an allowed domain and grants access accordingly. This ensures that clients from a restricted domain cannot access an API even if an application key is stolen (when the key is placed in client-side JS code).
When the client makes a request to an API that is only allowed to some domains, the request message must have an HTTP header to specify its domain name. Sending this header is mandatory only if the API is restricted to certain domains. An admin can configure this header name using in
<APIM_HOME>/repository/conf/api-manager.xml. For example, if the file contains
<ClientDomainHeader>domain</ClientDomainHeader>, then the API invocation request must contain an HTTP header called
domainwith values as shown in the example below:
curl -v -H "Authorization: Bearer xxx" -H "domain: wso2.com" http://localhost:8280/twitter/1.0.0/search.atom?q=cat
Token ValidityText Area The period after which the token will be expired after generation. A negative value ensures that the token will never expire.
Renewing application access tokens
When an application access token expires, you renew it by logging into the API Store, selecting the My Subscriptions menu and and clicking Re-generate.