This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit

Sharing Applications

WSO2 API Manager provides the facility for users to share their applications and subscriptions with a specific logical group or groups such as an organization. As a result of application sharing, users in the group can view such shared applications.

WSO2 API Manager considers the organization name you enter when signing up to the API Store as the group ID. All the users specifying the same organization name belong to the same group. Therefore, such users that belong to a single group can view each others' subscriptions and applications provided that you have enabled group sharing.

Only the application owner is capable of editing and deleting the application in the shared group.

If there is a requirement to edit or delete an application using a different user (for example due to a reason such as where the application owner has already left the organization etc.), you can achieve this by transferring the ownership of the application to that user who will be the new application owner.

Furthermore, only the application owner is allowed to generate keys for a specific shared application. However, the shared users can generate access tokens and therefore, the shared users will see the Regenerate button which is used to regenerate the access tokens, but not the  Application Keys button.

WSO2 API Manager also provides the flexibility to change this default authentication implementation. 

Enabling application sharing

You can enable application sharing with users in a single group or between users in multiple groups by following the steps below.

  1. Shutdown the server if its running.
  2. Uncomment the <GroupingExtractor> element in the <API-M_HOME>/repository/conf/api-manager.xml file.


    This default extractor does not work with SAML SSO. To enable SAML SSO, you need to define the GroupingExtractor element as follows:

  3. Restart the server.

Sharing an application with multiple users

Group IDs are extracted using a GroupingExtractor class which is an implementation of NewPostLoginExecutor interface. The default implementation is done through the  DefaultGroupIDExtractorImpl class. The organization claim is extracted using the group ID. If a particular user is in more than one organization, provide the organizations as a string separated by commas. 

Share an application with multiple users who are in the same group or who are in multiple groups as follows: 

  1. Start WSO2 API Manager, navigate to the WSO2 Store, and click Sign-up.
  2. Sign up to the API store as two different users (e.g., usera, userb) belonging to the same organizations. Click Show Additional Details to set the organization.

  3. Sign in as usera and add application App_A

  4. Enter the Group ID as org1 and press enter. Click Add. App_A will be shared with all the users in org1 group.

    • You can enter one group ID or multiple group IDs based on the groups with which you wish to share the application.

Using application sharing

You can use application sharing as follows:

  1. Sign out of the API Store. 
  2. Sign in to the API Store as userb
  3. Go to the Applications tab. You will see App_A which was added by usera.

    Note that the name of the application creator is appended to the application name to differentiate the applications.
  4. Subscribe to the default API using App_A.
  5. Log in to the API Store as usera. The subscriptions for App_A by userb will be displayed.

Extending the group ID extractor

The default implementation picks the organization claim as the group ID. The organization names are returned in a string array. To use a different claim or a different type of group ID , you should create your own group ID extractor class by extending the NewPostLoginExecutor interface and overriding the following method.

String[] getGroupingIdentifierList(String response);

When a user signs in to the store, the latter mentioned method is called and it will return all the group IDs that correspond to the user who has logged in to the store. After users sign in to the store, they will be able to see their own applications, which they created, and also the applications that are shared with the group IDs that were returned by the getGroupingIdentifierList method.

Defining a custom user claim as the group extractor claim

You need to get the latest product updates for your product to use this feature in the current version of WSO2 API-M. This feature is available as a product update in WSO2 API-M 2.6.0 from April 26, 2019 onwards.

Note that you can deploy updates in a production environment only if you have a valid subscription with WSO2. Read more about WSO2 Updates.

You can use this WUM update to configure the user claim of your choice from a configuration file rather than use the hard-coded organization claim URI. Thereby, this allows you to have the flexibility of using your own custom claim.

To define a custom user claim URI as the default group extractor claim URI, add the following configuration under the <APIStore> tag in the <API-M_HOME>/repository/conf/api-manager.xml file.