Access tokens are used to authenticate users. They are generated by API consumers and need to be passed in the incoming API requests. The API key (i.e., the generated access token) is a simple string that is passed as an HTTP header. For example,
"Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a." It works equally well for SOAP and REST calls.
Authorizing requests coming to published APIs using access tokens helps you prevent DoS attacks. If the token passed with a request is invalid, the API Manager discards that request in the first stage of processing itself.
WSO2 API Manager provides two types of access tokens for authentication:
- Application Access Tokens: Tokens to identify and authenticate an entire application. An application is a logical collection of many APIs. With a single application access token, you can invoke all of these APIs.
- User Access Tokens: Tokens to identify the final user of an application. For example, the final user of a mobile application deployed on different devices.
In WSO2 API-M the access token must be unique for the following combinations -
CONSUMER_KEY, AUTHZ_USER, USER_TYPE, ?TOKEN_STATE, TOKEN_STATE_ID and
TOKEN_SCOPE. The latter mentioned constraint is defined in the
IDN_OAUTH2_ACCESS_TOKEN table. Therefore, it is not possible to have more than one Access Token for any of the above combinations.
Let's take a look at how to generate and renew each type of access token.
- Generating application access tokens
- Generating user access tokens
- Renewing application access tokens
- Renewing user access tokens
Generating application access tokens
Tokens to authenticate an application, which is a logical collection of APIs. You can access all APIs associated with an application using a single token, and also subscribe multiple times to a single API with different SLA levels. Application access tokens leverage OAuth2 to provide simple key management.
The steps below describe how to generate/renew application access tokens:
- Log in to the API Store.
Click the My Subscriptions menu, select the application from the drop-down list and click the Generate Keys button to create a new access token.
Whenever an API call happens, the Gateway checks if the request originated from an allowed domain and grants access accordingly. You can specify these domains in the Allowed Domains text box. This ensures that clients from a restricted domain cannot access an API even if an application key is stolen (when the key is placed in client-side JS code).
Tip: When the client makes a request to an API that is only allowed to some domains, the request message must have an HTTP header to specify its domain name. Sending this header is mandatory only if the API is restricted to certain domains. An admin can configure this header name using thein
For example, if the file contains
<ClientDomainHeader>domain</ClientDomainHeader>, then the API invocation request must contain an HTTP header called
domainwith values as shown in the example below:
curl -v -H "Authorization: Bearer xxx" -H "domain: wso2.com"
In the Token Validity text area, you set an expiration period determining the validity period of the token after generation. Set to a negative value to ensure that the token never expires. Also see Changing the default token expiration time.
Tip: When you generate access tokens to APIs protected by scope/s, a Select Scopes button is displayed in the My Subscriptions page for you to select the scope/s first and then generate the token to it.
Generating user access tokens
Tokens to authenticate the final user of an API and are valid for all APIs subscribed to a user via a particular application. User access tokens allow you to invoke an API even from a third-party application like a mobile app. You generate/renew a user access token by calling the Login API through a REST client. For more information, see Token API.
Tip: By default, access tokens, consumer keys and consumer secrets are not encrypted in the database. An admin can enable encryption as follows.
Set the value of
<APIKeyValidator>element in the
- Change the
Tip: If you want to keep authorization headers in messages that are going out from the API Gateway, an admin can go to the
<API Gateway Node>/repository/conf/api-manager.xml file, uncomment the
<RemoveOAuthHeadersFromOutMessage> element, set its value to
false and then restart the server to apply the changes.
Note that when a user is deleted, the access token is automatically invalidated.
Renewing application access tokens
When an application access token expires, consumers can refresh the token by logging into the API Store, selecting the My Subscriptions link at the top of the screen, and clicking Re-generate. You can also specify a token expiration time for the application access token or change its allowed domains. Set to a negative value to ensure that the token never expires.
Renewing user access tokens
To renew a user token, issue a REST call to the WSO2 Login API through a REST client. For more information, see Renew User Tokens.
Changing the default token expiration time
Access tokens have an expiration time, which is set to 60 minutes by default.
- To change the default expiration time of application access tokens,
- Change the value of the
<ApplicationAccessTokenDefaultValidityPeriod>element in the
<APIM_HOME>/repository/conf/identity/identity.xmlfile. Set to a negative value to ensure that the token never expires. Changes to this value are applied only to the new applications that you create.
- Alternatively, you can set a default expiration time through the UI when generating/regenerating the application access token. This is explained in previous sections.
- Change the value of the
- Similarly, to change the default expiration time of user access tokens, edit the value of the
<UserAccessTokenDefaultValidityPeriod>element in the
Also see Configuring Caching for several caching options available to optimize key validation.