In WSO2 API Manager versions prior to 1.9.0, the components were tightly coupled with Key Manager and token validation was done by directly accessing the databases. However, from WSO2 API Manager 1.9.0 onwards, you can plug different OAuth2 providers to the key validation. When you call an API providing an access token, the execution flows through the handlers specified in the API. Among them, the API authentication handler extracts the token from the header and calls APIKeyValidationService to get the token validated. Upon validating the token, the token gateway Gateway receives APIKeyValidationInforDTO as the response. The rest of the operations are performed using that token.
...