Sending the API request

Fill in fields to set up the request for an API that you want to debug on the Test tab.

You can complete this task either by using the API Designer UI application, or by using the browser-based API Manager UI.

Open the Test tab

  1. Log in to API Manager or API Designer.
  2. In the navigation list, click Develop icon Develop, then select the APIs tab.
  3. Click the title of the API that you want to test.
  4. On the API Design page, click the Test tab in the page header.

Fill in the Request section

Use the Request section of the page to set up the request URL, the authentication mechanism, and the request parameters. Complete the following steps to fill in the fields that are needed for configuring the request.

Note: The Test tab does not support vanity endpoints; you must specify the gateway endpoint at which the API is invoked. The Request field uses the gateway endpoint by default.
  1. To fill the Security scheme, complete the following steps:
    1. Click Authorizations and select the security definition that you want. The available security definitions depend on the security schemes that are already configured in the API. To know how to configure security schemes, see Defining security schemes. The available security definitions are:
      • API key
      • Basic
      • OAuth
    2. If your API definition uses API key authorization for the security setting, enter the necessary authorization details in the following fields on the Authorize page:
      Name
      The variable name that is auto-populated from security scheme.
      Located In
      Location is auto-populated from the security scheme.
      Value
      The user can enter the value based on the auto-populated name. For example, if the name is X-IBM-Client-Id, the user can enter the same name in the value field.
      For more information on API key security schemes, see Defining API key security schemes.
    3. If your API definition uses Basic authorization for the security setting, enter the necessary authorization details in the following fields on the Authorize page:
      Username and Password
      Enter the username and Password that is needed for authenticating with the user registry.
      For more information on basic security schemes, see Defining basic authentication security schemes.
    4. If your API definition uses OAuth authorization for the security setting, enter the necessary authorization details in the following fields on the Authorize page:
      Note:
      • The OAuth authorization supports only the native OAuth provider. For more information on native OAuth provider, see Configuring a native OAuth provider
      • The available flow options for OAuth authorization are:
        • Implicit
        • Access Code
        • Resource Owner - Password
        • Application
        The fields on the Authorize page are based on the configured flow. For example, in password flow, the Authorization URL field is not available.
      Authorization URL
      This URL is used to redirect users for authentication and authorization. The URL is auto-populated from the OAuth Provider that you created in the Resources page.
      Name
      The name of the OAuth provider is auto-populated.
      Client ID
      This ID is used to authenticate and authorize the client's access to the resources. It is auto-populated based on the application that you selected under Target configuration. For more information, see Specifying the testing preferences for an API.
      Client secret
      Enter the secret key corresponding to the Client ID. The client secret is displayed only once when you create the application. Note down the secret key for OAuth authorization.
      Flow
      Flow in API authorization refers to the OAuth flow types that determine the process of obtaining authorization. It depends on the flow type that you select when you create the security scheme for the authorization. This field is auto-populated by default.
      Scopes
      Select the check boxes of scopes that you want to add. The scopes are included in the access tokens that are generated from the OAuth provider. When an OAuth protected API is invoked, the gateway checks the scopes that are carried in the access tokens. Then it compares them against the list of allowed scopes in the security definition to determine whether to grant access.
      Token URL
      This URL is used for obtaining OAuth tokens during the authentication process. The Token URL is auto-populated based on the URL that you add when creating the corresponding OAuth provider on the Resources page.
      Redirect URIs
      Select the redirect URIs from the list.
      Username and Password
      Enter the username and password of the user registry that is selected under the corresponding OAuth providers on the Resources page.

      Click Get Token to create the access token.

      The system automatically updates the access token in the Parameter tab when you apply authorization.

      For more information on OAuth security schemes, see Defining OAuth2 security schemes.

    5. Click Apply.

      When you invoke the API, API Connect populates a header using the provided information.

  2. Select an operation and request a URL from the list provided.
  3. On the Parameters tab, define header, query, and path parameters.

    An empty row is provided for you to define parameters, enter the parameter name in the Key field, select query, header, or path in the Located in field as appropriate, and supply a string value in the Value field. As you begin to define a new parameter, a further empty row is added automatically.

    Default header parameters and values are provided. For example, if the API has client ID or client secret definitions applied, the corresponding keys are added as header parameters, with the values preset; for details on configuring client ID and client security definitions, see Creating an API key security definition.

    The following table lists some common header definitions that are used in a request:

    Table 1. Common request headers
    Key Value Comments
    Accepts media_type/subtype Specify the type of content that the response headers should use. The default is application/json.
    X-IBM-Client-Id client_ID_val If you are using the built-in test application in the Sandbox catalog, the value is pre-populated automatically. If you are using your own client application, replace the value with the client ID of your application.
    X-IBM-Client-Secret client_secret_value If you are using the built-in test application in the Sandbox catalog, the value is pre-populated automatically. If you are using your own client application, replace the value with the client secret of your application..
    Authorization Bearer access_token Encode the token in base64. API Connect cannot encode the token for you.
    Content-Type media_type/subtype Specify the type of content that the response body should use; for example, application/json or image/png.

    If the API has path or query parameters defined, these are added to the parameters list, ready for you to supply values; for details on configuring path and query parameters, see Defining Paths for a REST API and Configuring an operation.

  4. If the operation is POST or PUT, set up the request body.
    1. Click the Body tab.
    2. Type the information for the body of the request.

Send the request

When your API request is configured, click Send to execute the call.

If a message displays indicating "No Response", the API call cannot be completed. Possible causes of this problem are as follows:

  • CORS is not enabled in the API’s definition

    Edit the API’s definition and enable CORS. Then, save the change and publish the API. If you are using your own client app, remember to subscribe it to the API again after publishing.

  • The gateway service URL has an invalid certificate

    Follow the instructions to accept the certificate and continue testing.

  • The browser cannot connect to the gateway service