Skip to content

Get Started with Publisher APIs

The RESTful APIs exposed from WSO2 API Cloud's Admin portal are implemented as CXF REST web applications based on REST best practices and specifications. API development is started with a Swagger specification with a contract-first approach. See the full swagger definition written using swagger 2.0. This can be also retrieved from the Web app itself using the URL https://<host-name[:port]>/api/am/admin/swagger.json

The API comes with a pluggable security mechanism. Since API security is implemented as a CXF handler, if you need to plug a custom security mechanism, you can write your own handler and add it to the web service.

Before invoking the API with the access token, you need to obtain the consumer key/secret key pair by calling the dynamic client registration endpoint. You can request an access token with the preferred grant type. An example is shown below,

curl -X POST -H "Authorization: Basic base64encode(email_username@Org_key:password)" -H "Content-Type: application/json" -d @payload.json

Sample request:

    "callbackUrl": "",
    "clientName": "rest_api_admin",
    "tokenScope": "Production",
    "owner": "email_username@Org_key",
    "grantType": "password refresh_token",
    "saasApp": true

Sample response:

    "callBackURL": "",
    \"grant_types\":\"authorization_code password refresh_token iwa:ntlm
    urn:ietf:params:oauth:grant-type:saml2-bearer client_credentialsimplicit\"
    "clientName": null,
    "clientId": "HfEl1jJPdg5tbtrxhAwybN05QGoa",
    "clientSecret": "l6c0aoLcWR3fwezHhc7XoGOht5Aa"

During the API invocation process request, you need to invoke the CXF handler first, which calls an introspection API to validate the token. Then generate the access token using the already created OAuth application. A sample call to generate the access token is given below:

Note: Access token must be generated using the correct scope for the resource. Scope for each resource is given in the resource documentation.

Note: The consumer key and consumer secret keys must be Base64 encoded in the format consumer-key:consumer-secret

curl -k -d "grant_type=password&username=email_username@Org_key&password=admin&scope=apim:tier_view" -H "Authorization: Basic SGZFbDFqSlBkZzV0YnRyeGhBd3liTjA1UUdvYTpsNmMwYW9MY1dSM2Z3ZXpIaGM3WG9HT2h0NUFh"

Token response:


Now you have a valid access token that you can use to invoke an API. Navigate through the API descriptions to find the required API, obtain an access token as described above and invoke the API with the authentication header. If you use a different authentication mechanism, this process may change.