Application Keys


An API Access Token/Key is a string that is being passed as a HTTP header of an API request. WSO2 APIM provides OAuth2.0 bearer token based authentication for API access and the API key has to be submitted alongside the API request in order to authenticate the access.

When an Application Developer registers an Application in the API Portal, it is given with a consumer-key and consumer-secret pair, which represents the credentials of the Application that is being registered. The consumer-key becomes the unique identifier of the Application, similar to a user's username, and is used to authenticate the application/user. When an API key or an API access token is issued for the Application, it is issued against the latter mentioned consumer-key. When sending an API request, the access token has to be passed as Authorization HTTP header value.

Example: Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a

Generate Application Keys

The steps below describe how to generate/renew application keys.

  1. Sign in to WSO2 API developer portal ( https://<hostname>:9443/devportal).

  2. Navigate to applications listing page and click on the application which you want to generate keys.

    Application View

  3. Click the Production Keys tab and click Generate Keys to create an application access token. Then the access token will be generated along with application consumer key and secret.

    Generate Application 

    If the application type is JWT, the generated access token will be an JWT token and it has to be copied just after the generation.

    JWT Token

    If the application type is OAuth, the generated access token will be an Opaque token.

    OAuth Token

    Once the keys are generated, you can find the consumer key and consumer secret pair from the application detail page.

    Application Consumer Key Secret


In the Access token validity period field, you can set an expiration period to determine the validity period of the token after generation. Set this to a negative value to ensure that the token never expires. Please refer Changing the default token expiration time for more information


When you generate access tokens to APIs protected by scope/s, you can select the scope/s and then generate the token for it.