Let's take a look at some concepts and terminology that you need to know in order to follow the use cases.
...
When using the REST API directly, these are the visibility options that you can specify public, private and restricted which analogus to the visiblity options specified in UI as below.
| API visiblity Level specified in UI | API visiblity Level specified in REST API |
|---|---|
| Public | public i.e. visibility=public |
| Visible to my domain | private i.e. visibility=private |
| Restricted by roles | restricted i.e. visibility=restricted&roles=role1,role2,role3 |
Subscription availability
...
Cross-origin resource sharing ( CORS ) is a mechanism that allows restricted resources (e.g., fonts, JavaScript) of a Web page to be requested from another domain outside the domain from which the resource originated.
The Swagger API Console that is integrated in the API Manager runs as a JavaScript client in the API Store and makes calls from the Store to the API Gateway. Therefore, if you have the API Store and Gateway running on different ports, enable CORS between them.
...
| Code Block | ||
|---|---|---|
| ||
<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"/> </handlers> |
...
OAuth scopes
Scopes enable fine-grained access control to API resources based on user roles. You define scopes to an API's resources. When a user invokes the API, his/her OAuth 2 bearer token cannot grant access to any API resource beyond its associated scopes.
...
| Scope Key | A unique key for identifying the scope. Typically, it is prefixed by part of the API's name for uniqueness, but is not necessarily reader-friendly. | ||||
| Scope Name | A human-readable name for the scope. It typically says what the scope does. | ||||
| Roles | The user role(s) that are allowed to obtain a token against this scope. E.g., manager, employee.
|
To apply the scope, you add the scope to a resource, save and publish the API.
...