Advanced OAuth 2.0 Support to Protect Your Mission-Critical APIs

Enforce rigorous API access management at any scale with WSO2’s IAM solutions, powered by the market’s most comprehensive OAuth 2.0 support, and designed for tight integration with API gateways.

Try Asgardeo

Startups, Enterprises and Entire National Governments Worldwide Trust WSO2 to Secure Trillions of API Transactions

WSO2 Customer Logos
WSO2 Customer Logos

Protect Your API Ecosystem

Your organization requires strong, flexible access and authorization management to secure access to your APIs. Choosing the right solution will help you easily handle all your API access management use cases, even the most challenging, and complex.

Customer Identity

Critical considerations for an API access management solution

  • Proven in the marketplace
  • The most advanced, standards based authorization capabilities
  • Close coordination with your API gateway
  • A deployment model for your authorization service that matches your architecture strategy

Customer Spotlight

London UK Transit System Uses WSO2 to Secure Mission-Critical APIs for Improved Commuter Experience

Eight million commuters depend on TFL’s mass transit solutions every day. WSO2 ensures API security for TFL’s technology which handles credit card transactions, routing and scheduling management, emergency response and analytics.

Customer Spotlight

Standard Chartered Bank Ensures Smooth, Secure Business Operations Using WSO2 to Protect Sensitive Internal APIs

SCB’s internal applications exchange data and services between multiple business units, using various API gateways from multiple vendors. WSO2 helps ensure smooth business operations by securing thousands of transactions per second.

Unlock the Full Potential of OAuth 2.0

All the OAuth 2.0 basics you expect

  • Support for the access token lifecycle (request, issue, expiry, refresh)
  • Defining scopes and claims for authorization
  • Creating basic policies and rules to determine who can access APIs
  • Support for the most popular token formats including JWT
Customer Identity

WSO2 Delivers Above and Beyond the Expected

Consent-based authorization

Require positive user consent before authorizing the request

Attribute-based authorization

Define an ABAC model for authorization policies

Authentication level based authorization

Enhance authorization for more sensitive resources with stronger authentication requirements

Mutual TLS Certificate bound access tokens

Bind the access token provided by the authorization server to the client's certificate

Pushed Access Request (PAR)

Provide a more secure way to initiate an authorization request using backchannel communication

JWT Secured Authorization Response Mode (JARM)

Enhance the security of the authorization response by signing and optionally encrypting it

Token exchange

Enable SSO between mobile apps without opening a separate browser window

Device authorization grant (or Device Flow)

Allow users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer


FAPI Baseline and Advanced Profiles

Implement the higher security standard required for high-value transactions

Authentication flow integrated with the API access itself

Simplify and streamline the application developer experience


Make Your API Gateway More Secure

API gateways need to protect access to critical APIs, but their simple built-in security features are not sufficient for today's challenging environment. Enhance the security of your API gateway with state-of-the-art OAuth 2.0 authentication and authorization.

Customer Identity

Proven success working with popular API gateways

  • Many popular API gateways support basic OAuth 2.0, but this often falls short of real-world requirements
  • WSO2 IAM solutions integrate with all API gateways that support the OAuth 2.0 standard to delegate authorization to an external service

WSO2 enhances third-party API gateway functionality

  • WSO2 delivers innovative OAuth 2.0 capabilities (described above) that enhance any API gateway’s authorization flexibility
  • WSO2 acts as a centralized access policy service for all your API authorization needs
  • WSO2’s full-featured IAM capabilities enable your API authorization policies to tap into features such as user management, authentication, detailed authorization policies, consent management, and more.

Get to production faster by using WSO2’s API gateway solutions

  • Reduce custom development for high-value functions
  • Automatic JWT token revocation, eliminating the need for short token expiry or additional revocation requests made to the access token service
  • Automatic propagation of security events occurring at the API access level, such as a user password change or account disabling, which affect authorization logic
  • Specialized access tokens, such as single use

Operate in the Cloud, On-Premises or in Hybrid Environments


IDaaS Deployment for Speed and Simplicity

Get up and running instantly with our multi-tenant SaaS solution. Add your critical cloud-based business applications in minutes.


Run it Yourself or Use Our Private Cloud Deployment

Use self-hosted software or let us host it for you. Address requirements such as integrating with Windows desktop authentication or legacy solutions.