Multi Tenant API Management with WSO2 API Manager - Part 2

In the previous post we discussed what is multi-tenancy, multi-tenancy in API Development and multi-tenancy in API Store(Consumption). In this post we will be discussing how subscriptions can be managed among multiple tenants, how APIs an be published into different tenant domains, multi-tenancy in API Gateway, multi-tenancy in Key Manager and also multi-tenancy in API Statistics. 

Manage subscriptions among multiple tenants

In the previous post we discussed how different tenants can develop and consume APIs in isolated views of API Publisher and API Store.This section describes how API creators can control who can subscribe to an API. In the Add API page, under Subscriptions you can select the Subscriptions Category.

There are 3 subscription categories.

  1. Available to current Tenant Only

The API will be allowed to subscribe for users in current tenant domain only(tenant domain of API Creator).

  1. Available to All the Tenants

The API will be allowed to subscribe for all the tenants in the deployment.

  1. Available to Specific Tenants

The API will be allowed to subscribe for specific tenants who are mentioned and the current tenant.

Example: UserProfileAPI is an API in API developer from tenant domain set the subscription category of UserProfileAPI to and subscribers as below.


Figure 1 : Subscription availability to specific tenants

Now a Subscriber from can login to his API Store and then access API Store. He will be able to subscribe to UserProfileAPI.

Although API subscription can be allowed to different tenant domains, this approach have a drawback. Because API subscribers need to login to own ( tenant store, then browse store and discover UserProfileAPI. How can we make UserProfileAPI visible in Store ? Let’s see in the next section.

Publishing APIs to multiple tenant stores

WSO2 API Manager allows API developers to publish APIs to external stores. BY default, when a tenant user publishes an API, it is getting published in that tenant’s own API Store. With this ‘Publishing to external stores’ feature, each tenant can configure set of external stores that they wish to publish APIs. Then API developers can push APIs to those configured different tenant stores. This allows them to expose APIs to a wider community.

However, when subscribing to such APIs, users will be redirected to original publisher's store.


Figure 2 : Publish to multiple tenant stores

We can configure external stores as below.

1. Login to API Manager management console (https://:9443/carbon) as admin and select Browse menu under Resources.

2. The Registry opens. G o to /_system/governance/apimgt/externalstores/external-api-stores.xml resource.


3. Click the Edit as Text link and change the element of each external API store that you need to publish APIs to. 

Example: HR department configure external stores for Sales and Engineering departments as below. So that UserProfileAPI can be pushed into and API Stores.  

Figure 3 : External store configuration


Figure 4 : External API Stores in API Publisher

As shown in the figure 9, API Publishers can push UserProfileAPI into Engineering Store and Sales Store from the ‘External API Stores’ tab.

Example: publishes the UserProfileAPI into Engineering Store and Sales Store. When a subscriber from clicks on UserprofileAPI, there is a link to access original Store.


Figure 5 : UserProfileAPI appearing in Store

Figure 6 : Link to Publisher Store ( store)

Multi-Tenancy in API Gateway

Above we discussed the Multi-Tenant features supported in API Store and API Publisher. There we saw how we can achieve isolation in API development and consumption. Further, how API subscriptions can be managed among tenants and how APIs can be published to different tenant domains were discussed. In this section, let’s look at how Multi-Tenancy is achieved API Gateway and Key Manager level.

In WSO2 API Manager, the API gateway is a simple API proxy that intercepts API requests and applies policies such as throttling and security checks. These API proxies are deployed in WSO2 API Manager as Synapse REST resources. In a multi-tenant deployment, APIs are deployed in tenant isolated manner by having isolated deployment spaces for each tenant. Also APIs are exposed with tenant domain based URL patterns as below.

Example:  We created UserProfileAPI in domain and ArticleFeeds API in domain. In the API Gateway these APIs are deployed in different spaces. Also APIs are exposed with tenant domain based URLs with /t/. So as shown in below, UserProfile API is exposed as http://gateway.cin/t/ On the other hand, ArticleFeeds API is exposed as http://gateway.cin/t/ Now when Application developers are consuming these APIs from different domains, they’ll see these tenant based API Endpoint URLs.

Figure 7 : Multi-tenancy in API Gateway level

Multi-Tenancy in API Key Manager

The API Key Manager component handles all security and key-related operations. When API Gateway receives API calls, it contacts the API Key Manager service to verify the validity of tokens and do security checks. All tokens used for validation are based on OAuth 2.0.0 protocol. First API subscribers have to create an Application, then subscribe to APIs and generate tokens against that application.
In a multi-tenant deployment, consumer applications are tenant isolated. At the API subscription and key generation, keys (consumer key/secret) are issued against these consumer applications. Then the tenant users, who consume those applications can generate user tokens. Further when storing keys, tenant ids are used to achive tenant separation. This is how mult-tenancy is achieved in API Key Manager.

Multi-Tenancy in Statistics

We can set up WSO2 Business Activity Monitor to collect and analyze runtime statistics from the API Manager. To publish data from the API Manager to BAM, the Thrift protocol is used.
Here, usage data publisher is created per tenant.

Information processed in BAM is stored in a database from which the API Publisher and Store retrieves information before displaying in the corresponding UI screens.
Statistics view in API Store and API Publisher are tenant isolated, since API Store and Publisher apps are tenant isolated. 

Figure 8 : Multi-tenancy in API Statistics


This post discussed how organizations can collaborate and monetize their APIs across multiple entities such as departments, partners or simply between separate development groups with Multi-tenancy features in WSO2 API Manager. Basically API developers of multiple entities can have isolated views in API Publisher and manage their APIs. Further API consumers correspond to multiple entities can explore and consume APIs from tenant isolated API stores. Moreover this article described how APIs subscriptions can be controlled among tenants and how APIs can be published into multiple API Stores. Finally how multi tenancy is achieved in API Gateway, Key Manager and Statistic were discussed. 


  1. Very interesting, thanks.

    On figure 6: assuming that the user clicks on the link to publisher store (, will he prompted to log-on the store ?

    1. Hi Ramzi, user can subscribe to UserProfileAPI without login separately to So answer is 'No'. He can subscribe with his current login.

  2. It has 5 reels and 25 paylines and bets vary from zero.25 a lot as} 6.25. The maximum win is 75,000 coins however this goes a lot as} 225,000 coins during the free spins bonus spherical where all wins include a 3x multiplier. Mega Moolah is all concerning the progressive jackpots and there are four of them. The highest payout on record is €19.4 million which was received 카지노사이트 in April 2021.


Post a Comment

Popular posts from this blog

PHP-SOAP web service with out a WSDL

How to add Maven dependency from a relative path referencing a local jar

Boomi Mapping - Removing special chars from an input