September 08, 2020
3 min read

Introducing WSO2 API Microgateway 3.2

With the rise of microservice-based architecture, many organizations are moving towards an API-led strategy. This is where micro gateways come into play. WSO2 API Microgateway is a developer-centric, cloud-native, decentralized API gateway specifically designed to support this approach. In this post, we will be looking at the new features and improvements of the latest release: WSO2 API Microgateway 3.2.


WSO2 API Microgateway is a high-performant, lightweight, developer-centric, and cloud-native API gateway, designed for microservices architecture (MSA). Micro gateways are becoming increasingly popular because the world is moving towards MSA, and micro gateways are the key component of exposing these microservices as APIs to the outside world. The cloud-native nature of micro gateways means that they can be exposed as client-facing ingress gateways to handle North-South and East-West traffic, by attaching as a sidecar to microservices.

The new WSO2 API Microgateway 3.2.0 comprises a rich set of features to cater to API management challenges faced by organizations adopting MSAs.

Circuit Breaker, Retry, and Timeout Capabilities

As a reverse proxy, it is recommended to prevent the cascade of failures happening to internal services. Certain services may come across overload scenarios and may not be able to handle any more requests for certain periods of time. As a gateway, these scenarios should be handled by not sending any more requests to the services by applying the circuit breaker functionalities.

And, there can be key services that the gateway has to retry in case of a failure in the first attempt to reach them. In those cases, the gateway has to retry to connect to upstream services before sending an error response to the client. Certain upstream services may take longer to respond based on the amount of traffic they serve. Hence, the gateway waiting time period until the response is received can be different based on the upstream it connects to. Timeouts should be configurable based on the different upstream services.

WSO2 API Microgateway allows configuring timeouts, circuit breakers, and retry configs as per the requirements relating to upstream services.

Figure 1: Retry and Timeout configuration

Figure 2: Circuit Breaker configuration.

JWKS Support for JWT Verification

JSON Web Key Set is a set of keys that contains the public keys used to verify the signature of the JWTs issued by an authorization server. An authorization server exposes a JWKS endpoint, which contains a set of public keys that can be used by the gateway to validate the signature of the JWT coming as bearer tokens in the API requests. The new release allows configuring JWKS endpoints per different JWT issuers (i.e., authorization servers). WSO2 API Microgateway will validate the JWT by contacting the JWKS endpoint of the respective JWT issuer.

Custom Claims Mapping for JWTs

WSO2 API Microgateway 3.2 offers a new feature to transform the claims to be sent in the backend JWT. The claims of the incoming authentication JWT can differ based on the authorization server that issued the JWT token. This feature maps the incoming JWT remote claims to the local claims of the micro gateway as well as the claims expected by the backend service. The keys or values of the remote claims of the JWT are replaced with the local claims. Here, remote claims come from an external provider, thus local claims need to be mapped.

With this feature, users can easily generate JWTs with any type of claim.

Integrate with WSO2 API Manager for Custom Siddhi Policies and Deny Policies

WSO2 API Manager has the ability to define custom Siddhi-based policies to perform rate limiting for APIs exposed via gateways. The Siddhi-based custom policies provide flexibility to developers on how they can shape traffic that comes into their APIs. These Siddhi-based policies can be added using WSO2 API Manager’s admin portal. They are Siddhi queries that can filter certain requests and block accessing once the certain upper limit is reached.

WSO2 API Microgateway has the capability to enforce Siddhi-based throttle policies when it is integrated with WSO2 API Manager. WSO2 API Microgateway will publish the throttle data to the traffic manager component of WSO2 API Manager and will apply custom policies based on the decisions sent by the traffic manager.

WSO2 API Microgateway supports deny policies defined in the admin portal of WSO2 API Manager. There can be scenarios where API developers need to block certain people from accessing the API. This can be based on IP, IP range, application, application user, etc. Once deny policies are configured in WSO2 API Manager’s admin portal, WSO2 API Microgateway will fetch those policies and apply those policies on the fly.

Improvements in WSO2 API Microgateway 3.2

This section describes the improvements in WSO2 API Manager 3.2.

Backend JWT generation of Microgateway

WSO2 Microgateway 3.2 introduces a new feature to generate JWT tokens. Earlier versions provided the ability to attach a JWT token to the backend request in a customized header, but was restricted in such a way that the JWT token should be included in the authentication token as a custom claim with a 'backendJwt' key. The new JWT generation feature provides developers with the capability to send a generated JWT token to the backend attached in the desired request header, customizing the standard and custom claims. Developers are given the freedom to add, modify, or remove claims to and from the newly generated JWT token.

Moreover, the configurations will provide control over all the aspects of the generated token from the token issuer, validity period (expiration claim), and the audience to the restricted claims in the final token. Therefore, developers will have the flexibility to use a separate authentication mechanism in the backend if required, as well as use the populated claims in the generated JWT token for complex business logic scenarios.

Figure 3: Decoded content of backend JWT

Integrate with Third-Party Key Managers for Security and API manager for Subscriptions

WSO2 API Microgateway can be integrated with external secure token services (authorization servers), which issue OAuth 2 bearer tokens (opaque or self verifiable JWTs). Earlier versions of subscription validation were supported for JWTs issued by WSO2 API Manager key manager only, as it produced JWTs (self-contained) with all the subscription details as well. With the latest version, we can configure any STS with WSO2 API Manager. With this feature enhancement, users can enforce subscription validation for any external authorization server that issues JWTs.


WSO2 API Microgateway is a continually evolving product that offers best-in-class support for solving modern API management challenges faced by organizations—especially when working with microservices architecture.

Visit our website and download the latest version of WSO2 API Microgateway and explore all these amazing features yourselves.