API Manager Components
The WSO2 API Manager comprises the following main components:
API Publisher
Provides an end-user, collaborative Web interface for API providers to publish APIs, share documentation, provision API keys, and gather feedback on API features, quality and usage. The API Publisher is powered by WSO2 Jaggery, WSO2 Governance Registry and WSO2 Identity Server products.
For more information on API Publisher and its functionality, refer to section API Publication and Management.
API Store
Provides an end-user, collaborative Web interface for consumers to self-register, discover API functionality, subscribe to APIs, evaluate them and interact with API publishers. The API Store is powered by WSO2 Jaggery, WSO2 Governance Registry and WSO2 Identity Server products.
For more information on the API Store and its functionality, refer to section API Subscription and Usage.
API Gateway
A runtime, back-end component developed using the WSO2 ESB, which is proven for its performance capability. API Gateway secures, protects, manages, and scales API calls. The API gateway is a simple API proxy which intercepts API requests and applies policies such as throttling and security checks. It is also instrumental in gathering API usage statistics. We use a set for handlers for security validation and throttling purposes in the API Gateway. Upon validation, it passes web service calls to the actual back-end. If the service call is a token request call, API Gateway passes it directly to the API Key Manager Server to handle it.
The API Gateway is accessible through the URL: https://localhost:9443/carbon, once the API Manager server is up and running.
You can integrate a monitoring and statistics component to the API Manager without an additional configuration effort. This monitoring component integrates with the WSO2 Business Activity Monitor, which can be deployed separately to analyze events generated by the API manager. For more information, refer to section Monitoring and Statistics.
API Key Manager
The API Key Manager component handles all security and key-related operations. When API Gateway receives API calls, it contacts the API Key Manager service to verify the validity of tokens. When API Gateway receives login calls, it directly forwards the calls to Key Manager server.
Login calls are used to get new access tokens. Users need to pass username, password, consumer key and consumer secret key when registering their applications. All tokens used for validation are based on OAuth 2.0.0 protocol. Secure authorization of APIs is provided by the OAuth 2.0 standard for key management. The API Gateway supports API authentication with OAuth 2.0, and enables IT organizations to enforce rate limits and throttling policies.
The following diagram depicts the collaboration of these main components with an easily-integrable monitoring and statistics component.