WSO2Con2025 Logo

March 18-20 | Barcelona, Spaain

 
cloudblog
2019/01/23
January 23, 2019
3 min read

Share Your API Subscriptions With Your Team

APIs published in WSO2 API Cloud are secured with Oauth tokens. Therefore, before invoking them you need to subscribe to the API and generate an Oauth token. To subscribe to an API you need to create an application (a virtual one). If you are not familiar with the concepts you can find more detail in our tutorials.

One request we had been receiving from our users was the ability to share these subscriptions with others in their teams. This seemed to be a very valid requirement. Most of the times there is a team who develops an application which will consume these APIs. Even-though one person subscribes and generate tokens to invoke an API, it makes sense for others to have some control on that subscription. For example they might need to re-generate a token due to some urgent security reason or subscribe to another API needed by their application without being by the application owner to do it. Basically, this reduces the impact of a centralized ownership in your API consumption process. After considering this, we have released a feature which allows subscriptions to be shared with the team.

How this works?

When users create applications in the API developer portal they can define a group(s) which they want to share the application with. Here, what is meant by a group is a role in their organization. You can read more about roles and assigning users to them from this tutorial.

If there is a "Finance" role in the organization and if it is provided as the group to share the application (as shown in the above image), then anyone signing into the developer portal who has that role is able to see that application.

Others in the team can see the subscriptions made by this application, view the tokens and also re-generate the tokens if needed. But, if they are not the application owner, they cannot do the token generation for the first time. i.e. It has to be the owner who does the first token generation. Application owner has full control over the application and the others have less control. For example, they cannot unsubscribe from an API which was subscribed by the application owner. But the owner can unsubscribe from APIs which were subscribed by others using his/her application.

You can follow the steps in our tutorial to implement this for your organization.