Identity Management for the API Developer Portal

Identity management for the API developer portal includes the following features.

Password Recovery

Password recovery feature does not work by default because an email server is not configured to send the password recovery email. Follow the steps below to enable password recovery feature for the API Developer Portal.

  1. Open the <API-M_HOME>/repository/conf/deployment.toml file and add a mail server configuration as shown below. See Configuring the Email Sending Module for more information.

        from_address = "[email protected]"
        username = "wso2amtest"
        password = "Wso2@am70"
        hostname = ""
        port = "587"
        enable_start_tls = true
        enable_authentication = true
  2. After the mail server is configured, the user can click on the Forgot Password link on the Sign In page of the API Developer Portal and request a password change.


  3. Enter the username you are trying to recover the password of and click Submit.


  4. You will receive an email with instructions to reset your password. Note that this is email is sent to the email address stored during user sign up.


    You can change the the template of this email (E.g., email link, message body, etc.). To edit the mail template, open the <API-M_HOME>/repository/conf/email/email-admin-config.xml file and make the changes.

Account locking

You can lock user accounts with the Account recovery and credential management feature, pre-installed in WSO2 API Manager.

Account locking by failed login attempts

The following steps show how to enable account locking. See Account Locking by Failed Login Attempts for more information.

  1. Log into the Management Console( https://<API-M_HOST>:<API-M_PORT>/carbon ) using admin credentials..

  2. Click Resident under Identity Providers found in the Main tab.

  3. Expand the Login Policies tab.

  4. Expand the Account Locking tab and tick the Account Lock Enabled checkbox. Click Update to save changes.



An error message similar to the following will be logged in wso2carbon.log when the account is locked.

    ERROR - Account is locked for user alex in user store PRIMARY in tenant carbon.super. Cannot login until the account is unlocked.

Account locking by an administrative user

An administrative user can lock and unlock a particular user's account through the management console. See Locking a Specific User Account for more information.

  1. Log in to the Management Console( https://<API-M_HOST>:<API-M_PORT>/carbon ) using admin credentials.

  2. Go to Claims > List on the Main tab and select the claim dialect.

  3. Expand the Account Locked claim and click Edit .


  4. Tick the Supported by Default checkbox and click Update. This is done to make the Account Locked status appear in the user's profile.


  5. Go to Users and Roles > List > Users on the Main menu and click on User Profile of the user you want to lock.

  6. Tick the checkbox in front of the Account Locked field to lock the account for the user and click Update .


Password policies

You can define custom password policies for API developer portal user signup. Open the <API-M_HOME>/repository/conf/deployment.toml file and add the password policy configuration based on your preference as shown below. See Writing a Custom Password Validator for more information.

    [] = true'min.length' = 4'max.length' = 10 = "^((?=.*\\\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%&*])).{0,100}$" = "Password pattern policy violated. Password should contain a digit[0-9], a lower case letter[a-z], an upper case letter[A-Z], one of !@#$%&* characters"'class.PasswordLengthPolicy' = "org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordLengthPolicy"'class.PasswordNamePolicy' = "org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordNamePolicy"'class.PasswordPatternPolicy' = "org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordPatternPolicy"