Let's take a look at some concepts and terminology that you need to know in order to follow the use cases.
...
The API Manager comprises of the following high-level components:
API Publisher
API development is usually done by someone who understands the technical aspects of the API, interfaces, documentation, versions etc., while API management is typically carried out by someone who understands the business aspects of the APIs. In most business environments, API development is a responsibility that is distinct from API publication and management.
...
The diagram below shows the common lifecycle activities of an API developer/manager:
API Store (Developer Portal)
The API Store Web application provides a collaborative interface for API publishers to host and advertise their APIs and for API consumers to self register, discover, evaluate, subscribe to and use secured, protected, authenticated APIs.
...
Additionally, statistics are provided by the monitoring component, which integrates with WSO2 DAS.The components are depicted in the diagram below:
...
Users and roles
The API Manager offers four distinct community roles that are applicable to most enterprises:
...
- CREATED: API metadata is added to the API Store, but it is not deployed in the API gateway and therefore, is not visible to subscribers in the API Store.
- PROTOTYPED: the API is deployed and published in the API Store as a prototype. A prototyped API is usually a mock implementation made public in order to get feedback about its usability. Users can invoke the API without a subscription.
- PUBLISHED: The API is visible in the API Store and available for subscription.
- DEPRECATED: When an API is deprecated, new subscriptions are disabled. But the API is still deployed in the Gateway and is available at runtime to existing subscribers. Existing subscribers can continue to use it as usual until the API is retired.
- RETIRED: The API is unpublished from the API gateway and deleted from the store.
- BLOCKED: Access to the API is temporarily blocked. Runtime calls are blocked and the API is not shown in the API Store anymore.
...
Applications
An application is a logical collection of APIs. An application is primarily used to decouple the consumer from the APIs. It allows you to :
...
The API Manager comes with a pre-created , default application, which allows unlimited access by default. You can also create your own applications.
If you want to create a mobile application, you can create a client side stub for Android or Java using SDKs. SDKs contain the necessary toolkits to create a mobile application using the OS to call the local API. To download the relevant ZIP file,
- Log in to the API Store and click Applications.
- Click View next to the required application.
- Click the SDKs tab.
- Click Android or Java to download the ZIP file.
...
Access tokens
An access token is a simple string that is passed as an HTTP header of a request. For example, "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a." Access tokens authenticate API users and applications, and ensure better security (e.g., prevent DoS attacks). If a token that is passed with a request is invalid, the request is discarded in the first stage of processing. Access tokens work equally well for SOAP and REST calls.
...
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g., fonts, JavaScript) of a Web page to be requested from another domain outside the domain from which the resource originated.
The Swagger API Console that is integrated in the API Manager runs as a JavaScript client in the API Store and makes calls from the Store to the API Gateway. Therefore, if you have the API Store and Gateway running on different ports, enable CORS between them.
...
| Code Block | ||
|---|---|---|
| ||
<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"/> </handlers> |
...
OAuth scopes
Scopes enable fine-grained access control to API resources based on user roles. You define scopes to an API's resources. When a user invokes the API, his/her OAuth 2 bearer token cannot grant access to any API resource beyond its associated scopes.
...