This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Guidelines for Developing the Middle Tier Application

We suggest having a separate backend component written, to handle the authorization token generation, when developing the custom API Store application in the integration cloud.This backend component can be written in MSF4J or any other language of your choice.

The main responsibilities of the middle tier application are listed below. All the calls which reach the front end goes to WSO2 through this intermediate middle tier.

  • Calling the WSO2 OAuth2 endpoint(key generation service) to retrieve the access token.
  • Requesting for refresh tokens once the current tokens expire.
  • Handling the secure invocation to the WSO2 Cloud REST APIs.

The diagram below illustrates the structure of this middle tier application and how to use an external store application to consume the WSO2 REST APIs. The middle tier application also known as the backend application will be responsible for handling the operations shown inside the red box. 

 Expand to see the description of the numbered steps in the diagram.
  1. External user interaction with the API Store(front end application).
  2. The front end application sends the request to the middle tier application.
  3. The middle tier application send a request to the WSO2 token generation service, to generate/regenerate the access token.
  4. The WSO2 token generation service sends back the access token to the middle tier application.
  5. The middle tier application calls the WSO2 Admin REST APIs in the backend.
  6. WSO2 REST APIs return the response to the middle tier application. This is transferred to the API Store.
  7. The middle tier application transfers the response to the API Store.
  8. The API Store displays the response to the end user.

The following are the three middle tier application functionalities handled by the middle tier(backend) application. Make sure that all these functions are implemented when you write your backend application.

  1. Invoking Admin REST APIs


    (a) Password Grant
    (b) Refresh Token Grant 
  2. Logging in and storing subscriber access tokens
  3. Invoking Store REST APIs



To secure the connection between the front end application and the middle tier application, enable CORS for the backend application. When enabling CORS you need to make sure to only allow the host of your front end application so that users accessing from other hosts are unable to attack your system.