WSO2 API Manager 2.6.

0
Fundamentals
Publishing APIs
WSO2 Training

1
User Roles of API Publisher

API Creator API Publisher

Typical users of the API Publisher : API creator, API publisher

Instructor Notes
Sign in to the API Publisher using the apicreator user that you created earlier
and show the UI

2
Sample API : Interactive Tutorial

When you sign in to the API Publisher for the first time, you get the option to deploy
a sample API to test out the API Manager functionality.
Sample API

Link - Quick Start Guide

When you sign in to the API Publisher for the first time, you get the option to deploy
a sample API to test out the API Manager functionality.
API Design

Link - Create and Publish API's

When creating an API you can begin with an existing API endpoint, use a SOAP
endpoint, design and prototype a new REST API, or Design a new Websocket API.
API Design

Link - Create and Publish API's

API creation is the process of linking an existing backend API implementation to the
API Publisher so that you can manage and monitor the API's lifecycle,
documentation, security, community, and subscriptions. Alternatively, you can provide
the API implementation in-line in the API Publisher itself.

Name: Name of the API as you want it to appear in the API Store
Context URI context path that is used by API consumers. (e.g., /phoneverify)

Version API version in the form of version.major.minor. (e.g., 1.0.0)

Visibility settings prevent certain user roles from viewing and modifying APIs created
by another user role. The visibility values mean the following:
● Public : The API is visible to all users (subscribers and anonymous users) of its
tenant store. Also, the API can be advertised in multiple stores - a central
store and/or non-WSO2 stores.
● Visible to my domain : The API is visible to all users who are registered in the
API's tenant domain.
● Restricted by Roles : The API is visible only to specific user roles in the tenant
store. When Restricted by Roles is selected, a new field called Visible to
Roles appears where you can specify the user roles that have access to the
API in a comma-separated list (no spaces).

Tags
● Any number of tags can be entered separated by commas.
 ● Tags allow you to group/categorize APIs that have similar attributes and
behaviors.
● When tagging, always use relevant keywords and common search terms.
● Once a tagged API gets published to the API store, its tags appear on the
dashboard as links to the API consumers who can click on them to quickly
jump to a category they are interested in.

Resources: An API is made up of one or more resource. Each resource handles a

particular type of request and is analogous to a method (function) in a larger API.

URL Pattern: A URL pattern can be one of the following types:

● As a url-mapping. e.g., /state/town/*
● As a uri-template. e.g., /{state}/{town}

HTTP Verb: The HTTP methods that specify the desired action to be performed on
the resource. These methods can be GET, POST, PUT, DELETE, or OPTIONS. Multiple
methods can be selected.

Import Swagger Definition: An existing Swagger Definition can be imported to create

the API.
API Implementation

Link - Create and Publish API's

APIs can be implemented as Managed APIs which are subscribable, or

Prototyped APIs, which users can try out without subscribing.

● An endpoint is a specific destination for a message such as an address, a

failover group or a load-balance group. WSO2 API Manager supports a range
of different endpoint types, allowing the API Gateway to connect with
advanced types of backends.
● An HTTP endpoint is a REST service endpoint based on a URI template.
● Address endpoint is the direct URL of the service.
● Failover Group endpoint are the endpoints that the service tries to connect to
in case of a failure. This happens in a round-robin manner.
● Load Balance endpoint is the endpoints where the incoming requests are
directed in a round-robin manner. They automatically handle fail-over as well.
● Default endpoint is the endpoint that sends the message to the address
specified in the To header.
● Endpoint of the back-end service URL and endpoint of sandbox
(testing) back-end service. A sandbox URL is used for online testing of
an API with easy access to an API key.
● Endpoint security scheme: Secured endpoint or Non secured endpoint.
Default is non-secured endpoint.
● If secured endpoint is selected, user is asked for credentials of the
 ● backend service.
● Destination based usage tracking: Enable this feature to generate a
graph showing the number of times an API accesses its destination
addresses. This graph is generated in the API Manager Statistics
dashboard. It gives API Publishers an insight about the requests that
leave the Gateway to destination endpoints, especially useful in cases
where the same API can reach different endpoints (e.g., Load-balanced
endpoints).

Deploy Prototype: The API will be deployed as a sample or a model API. The purpose
of a prototyped API is to give the API users an early implementation of the API so
that they can use it without subscribing, and comment on its effectiveness and
request improvements. You then change the API's implementation according to user
comments and publish it. A published API is available for subscription and
monetization.
Managing APIs

Link - Create and Publish API's

Default Version: All API contexts are suffixed with an API version. The default version
option allows you to mark one API, from a group of API versions, as the default one,
so that it can be invoked without specifying the version number in the URL.

Throttling tiers: Throttling allows you to limit the number of hits to an API during a
given period of time.
The API Manager comes with three default tiers as Gold, Silver and Bronze. Each tier
defines a maximum number of requests per minute.
Bronze - Allows 1 request for the API per minute
Silver - Allows 5 requests for the API per minute
Gold - Allows 20 requests for the API per minute
In addition, there is also a special tier called Unlimited, which allows unlimited access.

Expose in HTTP and/or HTTPS transport: The transport protocol on which the API is
exposed. Both HTTP and HTTPS transports are selected by default. If you want to
limit API availability to only one transport (e.g., HTTPS), un-check the other transport.

Enable Hard Throttling Limit: Hard throttling limits the total number of calls the API
Manager is allowed to make to the backend. While the other throttling levels define
the quota the API invoker gets, they do not ensure that the backend is protected from
overuse. Hard throttling limits the quota the backend can handle.

Custom sequences: Custom sequences that you want to invoke in the message flow.
Response caching: Used to enable caching of response messages per each API.
Caching protects the backend systems from being exhausted due to serving the
same response (for same request) multiple times. If you select the enable option,
specify the cache timeout value (in seconds) within which the system tries to retrieve
responses from the cache without going to the backend.

Subscription: Used to specify the tenants who can subscribe to an API, in a

multi-tenanted API Manager deployment. The following types of subscription
categories are available between tenants:
Available to current Tenant Only - Only users who are in the current tenant domain,
i.e., the tenant domain of the API creator, can subscribe to this API.
Available to All the Tenants - Users of all tenant domains in the API Manager
deployment can subscribe to this API.
Available to Specific Tenants - Users of specified tenant domains as well as the
current tenant domain (i.e., the tenant domain of the API creator) can subscribe to
this API.

Scope:
Auth type: Different levels of authentication (none, application, application user or
both) can be specified to each HTTP method of the resource.

Scopes enable fine-grained access control to API resources based on user roles. You
can define scopes to an API's resources. When a user invokes the API, his/her OAuth
2 bearer token cannot grant access to any API resource beyond its associated scopes.
Publish API and Manage Lifecycle
Default API lifecycle
○ CREATED: Not visible to subscribers
yet
○ PROTOTYPE: Visible internally on
store to try out
○ PUBLISHED: Visible to subscribers in
API Store
○ DEPRECATED: Available to existing
users only
○ RETIRED: Unpublished and deleted
○ BLOCKED: Access is temporarily
blocked

Link - Publish the latest version and Deprecate the Older version

APIs have a number of statuses. APIs once created are not visible on the store and
must be published in order to make it appear on the store. A prototyped API is visible
internally on the store for testing purposes. Deprecated APIs are available to existing
users only, while retired ones are removed from the store. APIs can also be
temporarily blocked.

Publishing an API
o Makes it visible on the API Store
o Enables API consumers/app developers to subscribe and use it

With the integration of the registry life cycle to the API life cycle of WSO2 API
Manager, it is possible to extend the existing API life cycle and customize it according
to your preference.
APIs & Services
APIs and Services

API Life Cycle Service Life Cycle

Created Defined

Retired Developed

Retired Published

Published as
API Reviewed

Deprecated In Production

Link - API Lifecycle

An API is the published interface, while the service is the implementation running in
the backend. APIs have their own lifecycles that are independent to the backend
services they rely on. This lifecycle is exposed in the API publisher Web interface and
is managed by the API publisher role.
API Documentation

Good API documentation helps

○ Explain your APIs
○ Market your APIs

Add documents using

○ API Publisher UI
○ Swagger UI

Link - Adding Documentation to API's

The importance of documentation cannot be over emphasized. You can add different
types of documents to an API. Proper documentation helps API publishers to market
their APIs better and sustain competition. Documents can be added from the API
Publisher UI and Swagger. Swagger is a specification and a complete framework
implementation for describing, producing, consuming, and visualizing RESTful Web
services.
Support for Swagger 2.0 and 3.0

Link - Using Swagger Tool

Swagger is a 100% open source, standard, language-agnostic specification, and a

complete framework for describing, producing, consuming, and visualizing RESTful
APIs, without the need of a proxy or third-party services. Swagger allows consumers
to understand the capabilities of a remote service without accessing its source code
and interact with the service with a minimal amount of implementation logic.
Swagger helps describe a services in the same way that interfaces describe
lower-level programming code.

The Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS that

dynamically generate documentation from a Swagger-compliant
API. Swagger-compliant APIs give you interactive documentation, client SDK
generation and more discoverability. The Swagger UI has JSON code and its UI
facilitates easier code indentation, keyword highlighting, and shows syntax errors on
the fly. You can add resource parameters, summaries, and descriptions to your APIs
using the Swagger UI.
Maintain API Version within API Context

{version}/{context}
Example:

1.0.0/pizzashack

13

WSO2 API Manager allows you to define the version before the context (e.g.,
1.0.0/servicename) allowing the grouping of API based on the versions.

Tip: You can define the API's version as a parameter of its context by adding
the {version} into the context. For example, {version}/phoneverify. The API Manager
assigns the actual version of the API to the {version} parameter internally. For
example,link. Note that the version appears before the context, allowing you to group
your APIs according to versions.

13
User Tenants

A tenant is an isolated domain. The users within this domain can manage their own
data and perform their own transactions without being affected by actions carried
out in other domains.

• Why, what, and where do they come into play?

 Let’s try it out!

Creating and Publishing the PizzaShack API

Import/Export APIs
Working with Tenants

A tenant is an isolated domain. The users within this domain can manage their own
data and perform their own transactions without being affected by actions carried
out in other domains.

• Why, what, and where do they come into play?