Skip to Main Content

WSO2 API Manager 3.2.0: News and Features

WSO2 remains a technological leader in systems integration.  This is evidenced in the new version of API Manager, which includes many new and valuable features.

Before we start, let’s take a quick look at the components of the API Manager, as they relate to the new features and there will be modifications to their working behavior:

  • Gateway: Element that allows access to APIs.
  • Key Manager: Responsible for APIs’ authentication in various formats.
  • Traffic: Monitors the call flow to the API and ensures that the call control rules on APIs are followed.
  • Publisher / Developer: Portals that allow us to generate and subscribe to various APIs with a simple graphic interface.

Updates and Features of WSO2 API Manager 3.2.0

External Key Manager

By default, the API Manager comes with its own Key Manager and, until now, it was possible to replace this key manager with another of the main WSO2 products, the Identity Server.

From now on, with WSO2 API Manager 3.2 we will be able to use a Key Manager that is not specific to WSO2, in a simple and intuitive way. This will further expand the integration of our product with established systems, without forcing us to discard the elements already implanted.

This configuration needs to be carried from the administration portal and will allow us to configure the WSO2 Identity Server, KeyCloak or Okta.

key Manager

Approval Workflow

Keep in mind that this is an application, and it is nothing more than a logical representation within the  WSO2 API Manager of a physical representation external to the API Manager, such as a website or a mobile device. These applications will be the ones that subscribe to an APIs ,and your access will be controlled by the Traffic Manager. Therefore, in order to avoid their creation or indiscriminate use, an approval flow can be associated to them.

We could already associate workflow, but this implied its development and therefore having a business rules server (Business Process). However, we must bear in mind that a simple workflow, where we can request the approval of a user, is very common. This is why standard WSO2 already includes this process, so we carry out the user approval process without needing an additional server for the processes.

Workflow de aprobación

These new applications will be created as inactive. They will continue like so until they are approved or rejected from the administration portal.

Developer Test Console

Most often, especially in non-productive environments, developers need to test the APIs they are developing. These tests cannot be carried out until they are published.

Now, WSO2 API Manager 3.2.0 offers us a console, similar to the one in the developer portal, where we can carry out tests before the publication of the API. This gives us the opportunity to test whether our traffic control rules or connection with the backend are correct.

GraphQL Query Analyzer

GraphQL is a query language that emerged as an alternative to REST. If we access  it as a client, we can only request the data we need. This allows a more fluid conversation.

However, all power comes with a responsibility. In order to make such dynamic queries, where every customer can request the data they want, the server will have an even higher workload. These types of queries can also be the origin of DoS attacks.

Previously, in version 3.0, we could create GraphQL-type APIs. However, it is now when WSO2 API Manager 3.2.0 introduces a query analyzer, accessible from the developer portal. Using this system, we can check whether the queries are too complex or not, or if they are valid.

OAuth 2.0 securing in the backend

Finally, it is possible to get something requested by everyone, and that so far could only be carried out through customized components. That is allowing our API to connect with a backend which has its own security with OAuth 2.0.

You may also be interested in this article:  OAuth 2.0: API Authentication, Security and Usability  –

We must remember that OAuth 2.0 is possibly the most widely used security protocol today. Therefore, it is no surprise that an API calls a backend which uses the same protocol. Now this communication can be easily carried out.

API Operator for Kubernetes: K8s API-Operator

One of the upgrades of version 3.1.0 was the K8s API-Operator tool. This allows us to easily manage our micro services in a Kubernetes environment and deploy APIs associated with one or more of these.


Now, with the new version, and this tool, we can configure our services to scale automatically and horizontally based on the metrics defined.


In relation to the previous point, now, with the new version of WSO2 API Manager 3.2 we will be able to expose the deployed APIs to the cloud in Private Jet mode. This will allow us to deploy them with maximum security.

If we choose this option, all deployment and escalation management will be handled by the K8s API-Operator component.


Methods of security via an API Key are the easiest to bring to the application level. It is based on the creation of a unique and undefined key at the JWT subscription level. This JSON key contains the application information, when it was subscribed, etc.  The Gateway will be in charge of validating the signature associated to both the JWT token and the subscription status.

Gateway Artifact Synchronizer

Streams, endpoints, and other artifacts are managed by the Gateway at runtime, and are stored on a specific physical path. This, in multi-node environments, leads to the need to sharing these files via NFS or rsync.

In order to avoid getting an even more complicated configuration. WSO2 has created a synchronizer for these kinds of tasks. This is created with the help of event dispatch and the Traffic Manager.

API Controller

The API Controller or CTL, is the WSO2 tool that carries out the management of APIs through the command line. Once we have setup an environment, we can export an API, import it, list the existing ones, etc.


Now in pursuit of improving continuous integration pipelines, this tool comes with support for GIT. With this we can detect if changes have occurred in a specific repository and redeploy its own APIs.


We must understand a product as a set of APIs, or resources within the same API. Therefore, now using the API Controller, we can manage these products from the command line, not just APIs.


Now, we can also create our APIs from the command line associated with HTTP / SOAP or AWS Lambda endpoints, and not only with HTTP/REST as with previous versions.


Now, we can also change the lifecycle of an API from the command line, and not only from the Publisher portal as in previous versions.

Restriction by IP or referral in authentication by API Key

We mentioned before that authentication by API Key is the easiest way of doing things, and that it is done on the application level. That is why we are now introducing tools that allow us greater control over the users of the application. They allow us to restrict access based on the IP or origin of the call referrer. This call source can be an exact URL or a specific subdomain.

Upgrades in existing components of WSO2 APIM 3.2

In addition to all these new features, in WSO2 API Manager 3.2.0, we have also included these upgrades to existing components:

  • Redesign of the administrator portal.
  • Web accessibility improvements in the developer portal. Level AA. Level AA.
  • Possibility of updating the subscription level without the need to unsubscribe and subscribe again.
  • Improvement in scopes sharing between tenants.
  • Improved in-memory subscription validation. Decreasing the traffic between the Gateway and the Key Manager.
  • Improvements in the import of SSL certificates.
  • Improved generation of test responses for prototyped APIs.
  • Improvements in the API Controller.

As you can see, there are multiple important features, which we have described in a simplified manner so as to avoid confusion. However, if you would like more details about them, you can contact us HERE .