This guide will help you get started consuming APIs in WS02.
Step-by-step guide
- Create a WSO2 Application
- Follow the guide for creating a WSO2 Application here.
- An Application will represent your implementation of consuming the API. This could be in the form of a front-end Single Page Application (SPA), a separate service that needs data from a set of APIs, or just a curl command.
- Subscribe Application to desired API
- Follow the guide to subscribe to a WSO2 managed API here.
- A WSO2 Application can have multiple subscriptions. The WSO2 Application should subscribe to all the APIs needed for the implementation application (SPA, etc.) to function. Having all the needed APIs subscribed under one WSO2 Application will simplify the use of the OAuth access token described below.
- Generate Application keys
- A WSO2 Application may have two sets of credentials (or keys). These keys are used to retrieve an access token, which your code will use to make HTTP requests to your subscribed API. (In WS02, the "TryIt" feature performs this kind of request.)
- Follow the last step in the guide, "Subscribing to an API in the Store" to generate your keys. You may generate both Production and/or Sandbox keys.
- The Production keys are associated with the Production endpoint of a subscribed API, and the Sandbox keys are associated with the Sandbox endpoint of a subscribed API. The following is a screenshot example of the Production/Sandbox endpoint configuration when an API is configured in WSO2:
- Notice that the Production Endpoint should be different than the Sandbox Endpoint. The Production Endpoint represents the service that is production-ready, whereas the Sandbox Endpoint represents a staging service for testing and verification, and/or development.
- Once you have generated your Production and/or Sandbox keys, you will use them to access data from an API. The two examples below each show a different method of how to do this.
- Use an Access Token to make a curl request to your subscribed API
- You can now make a valid request to your subscribed API by taking the "Access Token" as shown above and using it in an HTTP request.
- The "Access Token" represents your authorization to access the API. WSO2 API Manager would return a 403 HTTP response code if you did not provide an access token or if the access token was not a valid token generated from your WSO2 Application keys.
- Add an "Authorization" header in your request with the value: "Bearer <Access Token>" (except replacing <Access Token> with an actual value).
- Here is an example curl request:
curl --header "Authorization: Bearer 271ae9ef62624272e718ede3dfd48eee" https://api.byu.edu:443/domains/tutorials/cars - There you have it! You should see the expected content from your subscribed API.
- Use the "TryIt" feature to make a request to your subscribed API
Please note: OAuth 2.0 specifies four separate authorization grant types: Authorization Code, Implicit Grant, Resource Owner, and Client Credentials. BYU OIT deals primarily with the Authorization Code and Client Credentials grant types. The Authorization Code grant type is used in conjunction with authenticating users. The Client Credentials grant type, on the other hand, is used for service-to-service API calls which do not involve an authenticated user. The procedure of subscribing to and calling an API is different for each grant type. This article explains how to call an API using the Client Credentials grant type only.