Enable Publisher Access Control

The APIs created in the API Publisher are visible to any user who signs in to the API Publisher, by default. However, WSO2 API Manager allows API creators to restrict the visibility of their APIs within the API Publisher if required. API creators can set the Publisher Access control option to restrict API view and modify actions to a set of users, based on their roles. You can enable Publisher Access Control in API Publisher using one of the following methods:

Using the API Publisher

  1. Sign in to API Publisher as an API Creator.

    For more information on User Roles, see Managing Users and Roles.

  2. Create a new API.

  3. Click Design Configurations.

  4. Select Restricted by roles as the value for Publisher Access Control.

    Design configuration page

  5. Add the roles that have permission to view or modify this API.

    Enter role to restrict

  6. Save the API.

    Save API


Ensure that the roles you add are valid. If the current creator is not an APIM admin, there should be at least one role of the current creator.


Users with API-M Admin permission or admin role are treated differently. Even if an API is restricted to a certain set of publishers, it will be visible to all the API creators and publishers with API-M Admin permission or admin role.

Using the REST API

Use the existing REST API to add an API. Make sure to add the following two elements in your request body to create an API with publisher access control restriction.

"accessControl" : "RESTRICTED",
"accessControlRoles" : ["admin"]

Note that the roles must be valid. If the API creator is not an API-M admin they should at least have one of their roles in the accessControlRoles field.


The publisher role cache is enabled by default in API Manager. This is to avoid sending repeated requests to the Key Manager node in a distributed deployment, to authenticate user roles.

In order to disable this cache, add the following to the <API-M_HOME>/repository/conf/deployment.toml file.

enable = false

Note that if this is disabled, it results in lowering performance due to repeatedly accessing the Key Manager. Therefore, WSO2 recommends that you keep it enabled.