About this Release

WSO2 API Manager is a platform for creating, managing, consuming, and monitoring APIs. It employs proven SOA best practices to solve a wide range of API management challenges such as API provisioning, API governance, API security, and API monitoring. It combines some of the most powerful and mature components of the WSO2's state-of-the-art Carbon platform to deliver a smooth and end-to-end API management experience while catering to both API publisher and API consumer requirements.

WSO2 API Manager comprises of the following modules:

  • Publisher Portal: Define new APIs and manage them.
  • Developer Portal: Browse published APIs and subscribe to them.
  • API Gateway: The underlying API runtime based on WSO2 Enterprise Integrator (WSO2 EI) 6.5.0
  • API Key Manager: Performs key generation and key validation functionalities.
  • API Traffic Manager: Performs rate limiting of API requests.

For more information on WSO2 API Manager, see the overview in the WSO2 API Manager 3.0.0 documentation and go to the product page on WSO2 API Manager on the WSO2 website.

What is new in this release

The WSO2 API Manager 3.0.0 is the latest WSO2 API Manager release and is the successor of WSO2 API Manager 2.6.0. It contains the following new features and enhancements:

New features

  • API Monetization

    WSO2 API Manager provides support for API monetization out of the box. Thereby making it possible to integrate with any third-party billing engine using the available pluggable extension points in WSO2 API Manager.

  • JWT Authentication

    JWT Authentication allows users to use self-contained tokens when invoking APIs. When an API is secured using the OAuth2 security scheme, the JWT access tokens that are issued for the users from the Developer Portal can be used to invoke APIs.

  • API Schema Validator

    WSO2 API Manager allows users to use their Open API definitions and enforce the request and response validations without any additional work (i.e., implementing custom mediations, etc.)

  • GraphQL API support

    Users can use Schema Definition Language (SDL) schemas to design GraphQL APIs in WSO2 API Manager. Thereby, API Manager users can manage their GraphQL services as APIs.

  • Bot Detection

    The bot detection capability in WSO2 API Manager detects context scanning and internal service scanning. It notifies admin users via email about such threats and potentially problematic API calls, which are carried out by bots and attackers.

  • API Product

    API Product allows users to integrate several APIs and expose them as a single product. Thereby helping to package different services in different ways and exposing them as separate products.

  • API Key

    WSO2 API Manager allowed users to use a self-contained token as the API key. An API Key is the simplest form of app-based security that a user will be able to configure via WSO2 API Manager's Developer Portal (API Store). The Gateway will validate the API Key before allowing the resources to be consumed.

Improvements to existing features

  • Revamped UIs

    The Publisher Portal and the Developer Portal have been completely redesigned using ReactJS to enhance the user experience.

  • Search by tags

    The search function in the Publisher Portal has been improved so that API providers can search using tags.

  • A new configuration model

    Until WSO2 API Manager 2.6.0, users had to update multiple configuration files to configure the product. This overhead is removed with the new configuration model because now users only have to update a single file (deployment.toml).

What has changed in this release

Removed features and functionalities

WUM updates

This section lists out the features that were updated or introduced newly to WSO2 API-M 3.0.0 via WUM updates.

Updated or newly introduced feature The date of the update
Disabling Anonymous Access to the Developer Portal 29 Januray, 2021

Compatible WSO2 product versions

WSO2 API-M 3.0.0 is based on WSO2 Carbon 4.5.1 and is expected to be compatible with any of the WSO2 products that are based on any Carbon 4.5.x version, except when using WSO2 Identity Server as a Key Manager, you need to specifically use WSO2 Identity Server 5.9.0 when working with WSO2 API-M 3.0.0. If you get any compatibility issues, please contact team WSO2. For information on the third-party software required with API-M 3.0.0, see Installation Prerequisites. For more information on the products in each Carbon platform release, see the Release Matrix.

Fixed issues

Known issues

What has changed

  • If you have used OIDC or SAML2 for SSO in the portal login in an older APIM version, you have to re-configure them as per the documentation to configure WSO2 IS as an external IDP using OIDC.

  • Until WSO2 API Manager 2.6.0, users had to update multiple configuration files to configure the product. This overhead is removed with the new configuration model because now users only have to update a single file (deployment.toml).

For more information on the configurations in the new configuration model, see the Configuration Catalog. For more information on the mapping between WSO2 API Manager's old configuration files and the new deployment.toml file, see Understanding the New Configuration Model.

  • From 3.0.0 onwards, previous Jaggery based UIs for Publisher and Developer portals are replaced with new ReactJS based applications.


From API-M 3.0.0, Store Portal has been renamed as Developer Portal

  • From 3.0.0 onwards, WSO2 API Manager has been upgraded to log4j2 (from log4j). You will notice that there is a log4j2.properties file in the <API-M_4.0.0_HOME>/repository/conf/ directory instead of the log4j.properties file. Contact the WSO2 Support Team to obtain instructions to upgrade to Log4j2 to migrate your existing log4j.properties file to log4j2.properties file.

  • In previous API-M versions there used to be 4 Resource Level Security Schemes named None, Application, Application User and Any. From 3.0.0 onwards this has been reduced to 2 levels None and Application and Application User. If fine-grained security is required it is recommended to use OAuth Scopes instead.

  • From 3.0.0 onwards, it is possible to enforce multiple authentication schemes for an API at same time.