You can obtain an access token by providing the resource owner's username and password as an authorization grant. It requires the base64 encoded string of the consumer-key:consumer-secret
combination. You need to meet the following prerequisites before using the Token API to generate a token.
Prerequisites
- A valid user account in the API Store. You can self sign up if it is enabled by an admin.
- A valid consumer key and consumer secret pair. Initially, these keys must be generated through the API Store by clicking the Generate link on My Subscriptions page.
A running API Gateway instance (typically an API Manager instance should be running). For instructions on API Gateway, see Components.
- If the key manager is on a different server than the API Gateway, change the server URL (host and ports) of the key manager accordingly in the
<APIKeyManager><ServerURL>
element of the<AM_HOME>/repository/conf/
api-manager.xml
file. If you have multiple Carbon servers running on the same computer, change the port with an offset to avoid port conflicts.
Invoking the Token API to generate tokens
- Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64. Encoding to base64 can be done using the URL:http://base64encode.org.
Here's an example consumer key and secret combination :wU62DjlyDBnq87GlBwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.
- Access the Token API by using a REST client such as the WSO2 REST Client or Curl, with the following parameters.
- Assuming that both the client and the API Gateway are run on the same server, the token API url is https://localhost:8243/token
payload -
"grant_type=password&username=<username>&password=<password>&scope=<scope>"
. Replace the<username>
and<password>
values as appropriate.Tip: <scope> is optional.
You define scopes for your API's resources so that the resource can only be accessed through a token that had been issued for at least the scope belonging to the resource. For example, if a resource has a scope named 'update' and if the token is issued for the scopes 'read' and 'update', then the token is allowed to access the resource. If the token is issued for a scope named 'read', the request bearing the particular token will be blocked.
- headers -
Authorization: Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded
. Replace the<base64 encoded string>
as appropriate.
For example, use the following cURL command to access the Token API. It generates two tokens as an access token and a refresh token. You can use the refresh token at the time a token is renewed .
curl -k -d "grant_type=password&username=<username>&password=<password>" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
Instead of using the Token API, you can generate access tokens from the API Store's UI.