This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit

Subscribe to an API

You subscribe to a published API before using it in your applications. Subscription enables you to receive access tokens and be authenticated to invoke the API.

See the following topics for a description of the concepts that you need to know when subscribing to an API:

The examples here use the PhoneVerification REST API, which is created in the section Create and Publish an API.

  1. Sign in to the WSO2 API Store (https://<hostname>:9443/store) and click on an API (e.g., PhoneVerification 1.0.0) to open it.

    In a multi-tenanted WSO2 API Manager setup, you can access any tenant's store using the URL http://<hostname>:<port>/store?tenant=<tenant_name>.

  2. Note the subscription options for the REST API.

  3. Click the Applications menu and click Add Application to create a new application. 

  4. Enter the name as TestApp and select the per token quota as 50PerMin for the application and click Add
  5. Click APIs and click the PhoneVerification API to view the API's subscription options.
  6. Select the application that you just created, a tier, and click Subscribe.
  7. Click the View Subscriptions button when prompted. 
    The Subscriptions tab opens.

  8. Click the Production Keys tab.

    If you have a supported callback URL that sends a callback to a specific server or program soon after your application request is sent, you can specify it under the Callback URL field in the Production Keys tab.

  9. Click Generate Keys to create an application access token. You can use this token to invoke all APIs that you subscribe to using the same application. 

    You can set a token validity period in the Access token validity period text box. By default, it is set to one hour. If you set a minus value (e.g., -1), the token never expires.

    By default, the Client Credentials grant type is used to generate the access token. Make sure the Client Credentials grant type is selected when generating keys from the UI. For more information on how to generate supported grant types of WSO2 API Manager, see Token API.

    Access Tokens with specific Scopes

    Access tokens can be generated for specific scopes. A scope acts as a limiting factor on what API resources can be accessed using a token. To generate an access token corresponding to a scope, use the drop down menu under Scopes and select the required scope parameter.

    If you are using WSO2 Identity Server 5.6.0 as the Key Manager for your API Manager deployment, generating keys will result in the creation of a Service Provider in the Identity Server.

  10. Install cURL if it is not already installed. 

    cURL comes by default in some operating systems. You can also use a REST client instead.

    1. Open the command line and execute the following cURL command:


      If you get an error that states "Invalid Credentials", carryout the following steps to overcome the error. This error is a result of the access token expiring. The default validity period of the access token is 1 hour.

      1. You can update the token validity period in the Access token validity period text box so that the access token is valid for a longer period, or you can even set a minus value (e.g., -1) so that the token never expires.

      2. Re-generate the access token.
        Click Applications, click the respective application (i.e., TestApp), click Production Keys, and click Re-generate. Thereafter, use the new access token when running the cURL commands.

  11. Similarly, invoke the POST method using the following cURL command:

You have subscribed to an API and invoked it.

To unsubscribe from an API, click the Applications menu and click View next to the application used for the subscription. Go to the Subscriptions tab, locate the API, and click the Unsubscribe link associated with it.

If you unsubscribe from an API and then resubscribe with a different tier, it takes approximately 15 minutes for the tier change to be reflected. This is because the older tier remains in the cache until it is refreshed periodically by the system.