16 Apr, 2020

Securing APIs With WSO2 Microgateway

  • Menaka Jayawardena
  • Associate Technical Lead - WSO2


APIs handle practically every function in modern organizations. From booking a movie ticket to processing complex bank transactions, APIs play an important role. Organizations expose their services via APIs to the public and also internally in order to expand their business opportunities and increase revenue. As a result, APIs are being used by multiple parties and people, both internal and external users. It is very important that only authorized users can use specific APIs and there is no misuse of APIs that consume valuable data and services of an organization.

API Security

There are 2 main categories of API security:

  • Transport Level Security
  • Application Level Security

Transport Level Security

Transport Level Security (TLS) ensures the privacy and the integrity of communication between two parties. This mechanism uses certificates to encrypt the data that is transferred between parties where only the ones who have the certificate of the other party can read the information. In the modern API driven ecosystem, proper TLS is mandatory.

Application Level Security

Application security is vital for any API to prevent unauthorized access to backend services and data. There are multiple mechanisms that can be used for application-level security. These include:

  • API Key authentication
  • Basic authentication
  • OAuth2
  • JSON Web Token (JWT) authentication

Basic Authentication

Basic authentication is a simple authentication mechanism where the user sends his/ her credentials in the Authentication header in base64 encoded format. This is the most basic mode of authentication of an API.


API Key authentication is a simple mechanism of identifying the user who is invoking the API. This is different from OAuth2 and does not need an authorization server. The API Key can be sent as a query parameter, in a header or any other way that the server permits. This method is best suited for API testing, API developers or internal use in an organization.


OAuth2 is the industry-standard protocol for authorization which is based on access tokens. In order to invoke an API, the user must obtain an access token providing the credentials to an authorization server. The credentials can be the user name and password of the user or credentials from an application depending on the grant type. The authorization server will provide a token that has a limited lifespan after validating the user. The user then can invoke the API with this token. The token could be in JWT type or opaque and it depends on the authorization server implementation.

API Security With WSO2 API Microgateway

WSO2 API Microgateway is a lightweight, super-fast, cloud native, developer-focused, and 100% open source product that enables you to expose microservices as managed APIs. It also provides an easy to use, strong security layer for APIs which helps the user to easily configure and enforce proper authentication/ authorization mechanisms to secure their APIs. WSO2 API Microgateway provides several features in securing APIs:

  • API Key issuer and API Key authentication
  • JWT authentication and support for multiple JWT issuers
  • Mutual SSL authentication for APIs
  • Support multiple security schemes for APIs
  • Support combining authentication schemes
  • Internal/external key manager support

API Key Issuer and Authentication

WSO2 API Microgateway opted with a Security Token Service (STS) that could generate API Keys that can be used to invoke the APIs exposed via WSO2 API Microgateway. The generated API Key will be a self-contained JSON Web Token (JWT) that contains information about the user, subject, issuer, etc. WSO2 API Microgateway can also be configured to generate an API Key that allows for specific APIs. This could be helpful when using multiple MGW instances and restricting API Keys to be used for APIs published in each MGW instance. There are other configurations such as validity period, certificate, etc. You can find the other configuration parameters here.

In order to configure the APIs to use API Key authentication, the security schemes should be defined in the API definition. WSO2 API Microgateway accepts the API Key in as a header parameter or query parameter and you can configure the parameter name as well. It is also possible to use a different API Key header for different resources in the same API.

JWT Token Authentication

JWT token validation is built into the gateway itself in WSO2 API Microgateway. This enables the gateway to validate JWT tokens issued by a trusted authorization server. Also, if the token is a self-contained token, WSO2 API Microgateway is also capable of performing the subscription validation and scope validation.

Support for Multiple JWT Issuers

WSO2 API Microgateway supports the ability to configure multiple trusted JWT token issuers. This feature helps in scenarios where organizations have multiple trusted Auth providers (key managers). During the token validation, the JWT token will be sequentially validated with each issuer.

Mutual SSL Authentication for APIs

In WSO2 API Microgateway, APIs can be secured with mutual SSL where API clients can use their certificate to invoke the particular API. When the API is secured with mutual SSL, the client is not required to provide the credentials or tokens to invoke the API.

Support Multiple Security Schemes for APIs and Resources

WSO2 API Microgateway supports the following security schemes for securing APIs:

  • API Key
  • JWT token authentication
  • OAuth2
  • Basic authentication
  • Mutual SSL authentication

It is possible to enforce different security schemes for each resource or globally as an API level in WSO2 API Microgateway.

Support for Combined Authentication Schemes

With WSO2 API Microgateway, you can now combine Transport Layer Security (Mutual SSL) and Application Level Security and enforce the API. With this, APIs can be invoked using either the mutual SSL or application security mechanism specified (Oauth2, API Key, etc.).

Internal/ External Key Manager Support

WSO2 API Microgateway supports WSO2 API Manager as a key manager or third party key manager. Plus, it has the capability to validate subscriptions when WSO2 API Manager is used as the key manager.

  • Internal Key Manager
  • WSO2 API Manager can be configured as an internal key manager with WSO2 API Microgateway. In this configuration, WSO2 API Microgateway invokes the API Key Validation service of WSO2 API Manager. This enables WSO2 API Microgateway to use opaque tokens with the subscription validation.

    WSO2 API Microgateway with WSO2 API Manager as internal key manager

  • External Key Manager
  • A third party key manager can be configured as an external key manager. In this configuration, WSO2 API Microgateway uses the third party key manager’s token introspection endpoint to validate the access token.

    WSO2 API Microgateway with a third party external key manager


This article focuses on the security aspects of APIs, which is a crucial part of any API management solution. There are several methods to secure APIs as discussed in this article. WSO2 API Microgateway, as a solution for exposing microservices as managed APIs, supports a vast array of security features that can be easily configured to suit the API Security requirements of the organization.

Download the latest version of WSO2 API Microgateway and the Microgateway tool kit and try it out for yourself.

This article was originally published on DZone on April 15, 2020. You can access it here too.


About Author

  • Menaka Jayawardena
  • Associate Technical Lead
  • WSO2