API Manager >


The open source WSO2 API Manager is a complete enterprise-class API management solution that combines easy, managed API access with full API governance and analysis.

Design and Prototype APIs

  • Design APIs and gather developer feedback before implementing (API First Design). Design can be done from the publishing interface or via importing an OpenAPI/Swagger definition.
  • Deploy a prototyped API, provide early access to APIs, and get early feedback.
  • Mock API implementation using JavaScript.
  • Supports publishing REST, SOAP, JSON, and XML style services as APIs.
  • Supports exposing GraphQL services as managed APIs.
  • Pre-loaded sample APIs for a hassle-free first experience.
  • Use preferred IDEs and CI/CD tooling for a developer first user experience.

Publish API Products and Govern the Use of APIs

  • Publish APIs and API Products to external consumers and partners and internal users.
  • Deploy APIs in Kubernetes easily using the API operator for Kubernetes.
  • Deploy and manage APIs in the Istio service mesh.
  • Publish APIs to a selected set of gateways in a multi-gateway environment.
  • Support enforcement of corporate policies for actions like API subscriptions, application creation, etc. via customizable workflows.
  • Manage API visibility and restrict access to specific partners or customers.
  • Manage API lifecycle from cradle to grave: create, publish, block, deprecate, and retire APIs.
  • Publish both production and sandbox keys for APIs to enable easy developer testing.
  • Manage API versions and deployment status by version.
  • One-click deployment to API gateway for immediate publishing.
  • Customize the API lifecycle, including executing custom behavior on lifecycle transitions.

Control Access and Enforce Security

  • Supports OAuth2.0, OIDC, Basic Auth, API Key, Mutual TLS, and more.
  • Restrict API access tokens to domains/IPs.
  • Validate APIs payload contents against schemas.
  • Apply additional security policies to APIs (authentication and authorization).
  • Supports all standard OAuth2.0 grant types and allows extensions and additions to grants.
  • Works seamlessly with third party OAuth2.0 providers, standard, or proprietary.
  • Allows blocking subscriptions due to non-payment, API abuse, etc.
  • Associate API to system-defined service tiers for quotas and rate-limits.
  • Generate JSON web tokens for consumption by back-end servers.
  • Leverage XACML for entitlements management and fine-grain authorization.
  • Configure Single Sign-On (SSO) using SAML 2.0 for easy integration with existing web apps.
  • Threat protection, bot detection, and token-fraud detection.
  • Supports detection of abnormal system use through artificial intelligence and machine learning.

Developer Portal

  • Graphical experience similar to popular applications stores.
  • Browse and search APIs by provider, tags, or name.
  • Provision API keys.
  • Subscribe to APIs and manage subscriptions on per-application basis.
  • Subscriptions can be at different service tiers based on expected usage levels.
  • Interactive API Test console.
  • Internationalization support.
  • Notifications enabled for new versions of subscribed APIs.
  • Common view of the store for users registered under the same organization.

Manage Developer Community

  • Self-registration for developer community to subscribe to APIs.
  • Developer interaction with APIs using comments and ratings.
  • View API consumer analytics.
  • Tools for API product managers to proactively manage API subscriptions.
  • Tooling to develop services, features, and artifacts and manage their links and dependencies through a simplified graphical editor.

Manage and Scale API Traffic

  • The API gateway routes application traffic to services. It supports SSL termination, URL rewriting, and other standard features of a router while adding on the quality of service attributes for APIs.
  • Highly scalable Microgateway purpose designed for microservice architectures.
  • Separate production and sandbox traffic on different API gateways.
  • Supports protocol transformation, data transformation, and API composition.
  • Maps between HTTP(s) and other protocols, such as JMS or writing to file systems.
  • Traffic Manager enforces rate limiting and dynamic throttling based on usage quotas and bandwidth quotas.
  • Protect API backends from DDOS.
  • Horizontally scalable with easy deployment into cluster using proven routing infrastructure.
  • Extremely high performance pass-through message routing with minimal latency.

Monitor and Monetize

  • API usage published to pluggable analytics framework (requests, responses, faults, throttling, subscriptions, self-sign ups to name a few).
  • Out-of-the-box integration with Stripe for monetizing API and plugs in to other platforms.
  • Out-of-the-box support for Google Analytics.
  • Provides many usage graphs such as API latency and API usage comparison that help to monitor API and application performance and much more.
  • Trace and observe API requests.
  • Track consumer analytics per API, API version, tier, and consumer.
  • Configurable payment schemes to monetize API usage.
  • Monitor SLA compliance.
  • Publish your own events and create dashboards

Pluggable, Extensible, and Themeable

  • All components are highly customizable through styling, theming, and code extensions.
  • Portals developed using ReactJS using the material-ui styles. Highly themeable and customizable.
  • Responsive design for the Developer portal.
  • All functionality exposed via a REST APIs which allows to create your own portal or automate API deployment through DevOps.
  • Pluggable to third-party analytics systems and billing systems.
  • Pluggable to existing user repositories including Microsoft Active Directory, LDAP, databases, or Apache Cassandra.
  • Components usable separately: developer portal can be used to catalog APIs deployed in third-party gateways.

Easily Deployable in Your Enterprise

  • Role-based access control for managing users and their authorization levels.
  • Developer portal can be deployed in DMZ for external access with publisher inside the firewall for private control.
  • Different user stores for developer-focused portal and internal operations in publisher.
  • Integrates with enterprise identity systems including LDAP and Microsoft Active Directory.
  • Gateway can be deployed in DMZ with controlled access to WSO2 Identity Server (for authentication/authorization) and governance database behind firewall.

WSO2 Platform Multi-Tenancy Support

  • Run a single instance and provide API management to multiple customers, each in their own domain.
  • Share APIs between different departments in a large enterprise.