Block Subscription to an API¶
An API publisher can block subscription to an API as a way of disabling access to it and managing its usage and monetization. Subscription blocking can be temporary or permanent. There is an unblocking facility to allow API invocations again.
You can block APIs by subscription by blocking access to a specific user to access a specific API that he/she has subscribed to using a specific application. If a user is subscribed to two APIs using the same application and you block access to only one of the APIs, the user can still continue to invoke the other API that he/she subscribed to using the same application. In addition, the user can continue to access the same API subscribed to using different applications.
Info
API level subscription blocking is useful to control only the subscriptions created for a specific API by a user. If you want to block all API requests from a specific application/user/specific IP address or to a specific API, you can use request blacklisting.
Blocking can be done at two levels:
- Block production and sandbox access : API access is blocked with both production and sandbox keys.
- Block production access only : Allows sandbox access only. This is useful when you want to fix and test an issue in an API. Rather than blocking all access, you can block production access only, allowing the developer to fix and test it.
Warning
When API Gateway caching is enabled (it is enabled by default), even after blocking a subscription, consumers might still be able to access APIs until the cache expires, which happens approximately every 15 minutes. Likewise, the API Gateway cache applies even when an API is unblocked.
Note
See the following topics for the descriptions on the concepts that you need to know when you block subscriptions to an API:
-
Create two APIs.
-
Sign in to the WSO2 API Publisher.
-
Create two APIs and publish them to the WSO2 API Developer Portal.
https://<hostname>:9443/devportal
(e.g.,
https://localhost:9443/devportal
).Tip
For more information, see Create and Publish an API.
-
-
Subscribe to both the APIs.
-
Sign in to the WSO2 API Developer Portal and click APIs.
Note that the two APIs are visible in the APIs page.
-
Subscribe to both APIs using the same application.
You can use the default application or create your own.
You can see the APIs that you have subscribed to and the Status as unblocked.
-
Generate keys and obtain an access token for application.
-
-
Invoke both APIs using the access token you received in the previous step.
Tip
For more information, see Consume an API.
The following is the cURL command format for phoneverify2 API.
Command
curl -X POST "https://localhost:8243/phoneverify2/1.0/checkPhoneNumber" -H "accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer 1b4cde76-3951-32bb-9ace-f530bc478490" -d "{ \"CheckPhoneNumber\": { \"PhoneNumber\": \"18006785432\", \"LicenseKey\": \"0\" }}"
You can invoke the PhoneVerification API with the same token. You have subscribed to two APIs and invoked them successfully. Let's block one subscription and see the outcome.
-
Block an API.
-
Sign in to the API Publisher.
-
Click API and click on the API that you need to block.
In this case, click on the
PhoneVerify2
API. -
Click Subscriptions to navigate to the managed subscription section.
-
Click Block All.
Tip
You can choose Block Production Only instead of Block All. In addition, you can unblock the subscriptions that you have previously blocked by clicking Unblock.
-
-
Invoke the APIs to test the blocked API.
-
Sign in to the Developer Portal.
-
Invoke the two APIs (
PhoneVerify2
andPhoneVerification
) again.tip
You might have to regenerate the access token for the respective application that you subscribed the APIs to (for example in this case it will be
DefaultApplication)
if the access token expiration time (1 hour by default) has passed since the last time you generated it.Note that you can invoke
PhoneVerification
again, but when you invokePhoneVerify2
, it gives a message that the requested API is temporarily blocked. Neither the API publisher nor any subscriber can invoke the API until the block is removed.Warning
When Gateway caching is enabled, which is the case by default, the subscription blocking will take place only after the token cache expires (the default token cache expiry time is 15min). However, if the token is regenerated after the API is blocked, then the API will be blocked immediately.
Response when invoking PhoneVerify2
<ams:fault xmlns:ams="http://wso2.org/apimanager/security"> <ams:code>900907</ams:code> <ams:message>The requested API is temporarily blocked</ams:message> <ams:description>Access failure for API: /TestAPI1/1.0.0, version: 1.0.0 status: (900907) - The requested API is temporarily blocked</ams:description> </ams:fault>
If you click Applications in the API Developer Portal, and select the application that you used to subscribe to the API, the details of the blocked subscription appears.
-
-
Unblock the API.
-
Go back to the API Publisher.
https://<hostname>:9443/publisher
(e.g.,
https://localhost:9443/publisher
). -
Click on the respective API
In this case, click
PhoneVerify2
. -
Click Subscriptions and click Unblock corresponding to the respective subscription.
Make sure to click on the subscription that corresponds to the correct application.
If you invoke
PhoneVerify2
again, you will notice that you can invoke the API as usual.Warning
When Gateway caching is enabled, which is the case by default, the subscription unblocking will take place only after the token cache expires (the default token cache expiry time is 15min). However, if the token is regenerated after the API is unblocked, then the API will be unblocked immediately.
You have subscribed to two APIs, blocked subscription to one and tested that you cannot invoke the blocked API.
-