Generating Access Tokens to Invoke APIs

If you have to be authenticated before accessing an API, you need an access token to invoke it. Access tokens are generated by API consumers and need to be passed in the incoming API requests. The API key (generated access token) is a simple string, which must be passed as an HTTP header. For example, "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a." It works equally well for SOAP and REST calls.

WSO2 API Manager provides two types of access tokens for authentication:

Application Access Tokens : Tokens to identify and authenticate an entire application. An application is a logical collection of many APIs. With a single application access token, you can invoke all of these APIs.
User Access Tokens : Tokens to identify the final user of an application. For example, the final user of a mobile application deployed on different devices.

Let's take a look at how to generate and renew each type of access token in detail.

Generating access tokens

Application access tokens are generated at the application-level and valid for all APIs associated with the application. It leverages OAuth2 to provide a simple, easy-to-use key management mechanism.

Application access tokens

Following steps describe how to generate application access tokens.

Log in to the API Store (https://<hostname>:9443/store).
In the My Subscriptions tag, select the application to which you need a token. Each application has access token generation buttons associated with it.
After you click the Generate button, the access token appears as follows. It also generates a consumer key and a consumer secret. For testing purposes, you also can create a sandbox key.

Using this token, users can access any API subscribed under a given application.

User access tokens

User access tokens are generated at user-level and valid for all APIs subscribed to a user. User-level tokens allow users to invoke an API even from a third-party application like a mobile app. You can generate a user-level token by calling the API Manager Login API through a REST client. For more information on generating user-level tokens, refer to Token APIs.

Renewing expired tokens

Access Tokens have a default expiration time, which is set to 60 minutes by default.

To change the default expiration time of application access tokens, change the value of <ApplicationTokenDefaultValidityPeriod> element in <APIM_HOME>/repository/conf/identity.xml file. You can set this to a negative value to ensure that the application access token never expires.
Similarly, to change the default expiration time of user access tokens, edit the value of <AccessTokenDefaultValidityPeriod> element in identity.xml file.

After an access token is generated, users sometimes want to renew the old token due to expiration or security concerns. API Consumers can re-generate/refresh access tokens in the following ways.

Application access token

When an application access token expires, consumers can refresh the token by logging into API Store, selecting the My Subscriptions page, and clicking the Re-generate option showing under Keys.

User access token

To renew a user token, issue a REST call to WSO2 Login API through a REST client. For more information, refer to Renew User Tokens.

You can configure the API Manager instances to store access tokens in different tables according to their user store domain. This is referred to as user token partitioning and it ensures better security when there are multiple user stores in the system. For configuration details, see user token partitioning.

After subscribing to an API and generating a key to access it, the next step is to invoke the API through the Gateway using the steps given in section Testing APIs.