Creating an application

Create an application that defines the precise identifiers by which messages from a particular application are recognized at run time and authenticated by webMethods API Gateway.

1. Open the menu options and select Applications.
2. Click Create application.
3. Provide the following information in the Basic information section.

   Field	Description
   Name	Type a name for the application.
   Version	Version of the application. By default it is 1.0 but can be modified to a required value.
   Owner	Name of the team who owns the application. The application owner can view all details of the application, which includes the API access key. If you specify a team as the application owner, then all members of the team can view the API access key. Note: You cannot modify the ownership details of the applications you create through Developer Portal.
   Description	Type a description of the application.
   Requestor comment	Specify your comments. This field is visible only when the approval configuration for Create application is enabled in the Administration > General > Approval Configuration > Create application section.

   One of the following approvers can approve the pending requests for an application.

   • List of users and user groups of the teams that the application is associated with. Specify the required users and user groups in the Approvers section of the Basic information tab when you create or edit the corresponding team.
   • List of users and user groups of the teams that the application is associated with. Specify the required users and user groups in the Team Administrators section of the Basic information tab when you create or edit the corresponding team. This set of users is applicable only if the Include team administrators as approvers option is selected.
4. Click Continue to Identifiers.
   Alternatively, you can click Identifiers. You can save the application by clicking Save at this stage and add the Identifiers and APIs later.
5. Provide the following information in the Identifiers section.

   Field	Description
   IP address range	Provide the IP address range or range of trusted IPv4 or IPv6 addresses that identify requests from a particular application. You can add more range options by clicking +Add and adding the required information.
   Partner identifier	Specifies the third-party partner’s identity.
   Client certificates	Click Browse and select the client certificate or certificate chain to be uploaded. The client certificate specifies the X.509 certificates that requests from a particular application. Note: webMethods API Gateway supports .cer and .pem certificates for identifying consumer applications. You can add multiple certificates by clicking +Add.
   Claims	Provide a set of claims for the JWT and OpenID clients. A claim is a unique identifying information that identifies requests from a particular consumer application. The claim set is identified by a unique Name and is defined as a name-value pair that consists of a Claim name and a Claim value. You can add more claims and claims sets by clicking +Add and adding the required information.
   Header key	Specify the HTTP header key to identify the requests from an application.
   Header value	Specify the HTTP header value to identify the requests from an application. You can add multiple header key and value by clicking +Add.
   Other identifiers	Select one of the options to identify requests from a particular application and provide the following values. Hostname. Specify the hostname. Token. The token that is required to identify requests from an application. Username. The username credential to identify requests from an application. WS-Security username. The WSS username to identify requests from an application. Payload identifier. The payload identifier that is required to identify requests from an application.

6. Click Continue to APIs. Alternatively, you can click APIs.
   You can save the application by clicking Save at this stage and add the APIs later.
7. Type a keyword to find the required API and click + to add the API.
   Adding an API to the application enables the application to access the API. An API developer while invoking the API at run time, must provide the access token or identification token for webMethods API Gateway to identify the application.
8. Type the required Requestor comment.
9. Click Continue to Advanced.
   You can save the application by clicking Save at this stage and add the APIs later.
10. Specify the origin from which the responses originate to be allowed during response processing for the application.
11. Click +Add to add the origin. You can add multiple origins by using +Add.
12. Click Continue to Authentication.
    You can save the application by clicking Save at this stage and add the Authentication strategy later.
13. Click Create strategy.
    A strategy is a way to authenticate the incoming request and provides multiple authentication mechanisms or multiple authorization servers for a single authentication scheme. You can create multiple strategies that an API authorizes for an application.
14. Select one of the following Authentication schemes.
    • OAUTH2. Provide the following information.

      Field	Description
      Name	Provide the name for the strategy.
      Description	Provide a description to describe the strategy.
      Authentication server	Specify the authentication server. The available values are local, which is the default server or any other configured external authorization server.
      Audience	Provide a value or URI, the intended recipient of the authorization server scope. The application that receives the token verifies that the audience value is correct and rejects any tokens that are intended for a different audience.
      Generate Credentials	Enable the toggle button to generate the client dynamically in the authorization server and provide the following information: Type. Select one of the client types: Confidential. A confidential client is an application that can keep a client password confidential to the world. This client password is assigned to the client app by the authorization server. This password is used to identify the client to the authorization server to avoid fraud. An example of a confidential client might be a web app, where no one but the administrator can get access to the server, and see the client password. Public. A public client is an application that is not capable of keeping a client password confidential. For instance, a mobile phone application or a desktop application with the client password embedded inside it. Such an application might get cracked, and might reveal the password. The same is true for a JavaScript application that runs in the users browser. The user can use a JavaScript debugger to look into the application, and see the client password. Application type. Specify the application type. WEB. A web application is an application that runs on a web server. In reality, a web application typically consists of both a browser part and a server part. The client password might be stored on the server and is thus confidential. USER_AGENT. A user agent application is, for instance, a JavaScript application that runs in a browser. The browser is the user agent. A user agent application might be stored on a web server, but the application runs only in the user agent after the application is downloaded. NATIVE. A native application is, for instance, a desktop application or a mobile phone application. Native applications are typically installed on the users computer or device (phone, and tablet). Thus, the client password is stored on the users computer or device too. Token lifetime. Specify the token lifetime in seconds for which the token is active. Token refresh limit. Specify the number of times that you can use the refresh token to get a new access token. Redirect URIs. Specify the URIs that the authorization server can use to redirect the resource owner's browser during the grant process. You can add multiple URIs by clicking +Add. Grant type. Specify the grant type to be used to generate the credentials. Available options can be authorization_code, password, client_credentials, refresh_token, and implicit, which are dynamically populated from the authorization server. For example, if the authorization server does not support client credentials, the option is not available in the options list. Scopes. Select the scopes that are to be mapped for the authentication strategy. Note: In webMethods API Gateway 10.2, the scopes are automatically created when you associate an API to an application. From webMethods API Gateway 10.3 or higher versions, you must select scopes from the authorization server that must be associated with the strategy.
      Client id	Specify the Client identifier for a client application available in the authorization server that identifies the client application in the authorization server to map the client to the webMethods API Gateway application. Note: This parameter is required if you have a client application available in the authorization server and do not want to dynamically create a client.

    • JWT. Provide the following information.

      Field	Description
      Name	Provide the name for the strategy.
      Description	Provide a description to describe the strategy.
      Authentication server	Specify the authentication server. The possible values are local, which is the default server or any other configured external authorization server.
      Audience	Provide a value or URI, the intended recipient of the authorization server scope. The application that receives the token verifies that the audience value is correct and rejects any tokens that are intended for a different audience.
      HMAC algorithm	Select if the authorization server is returning a JWT with HMAC algorithm and provide the shared secret value to validate the JWT.

    • OPENID. Provide the following information:

      Field	Description
      Name	Provide the name for the strategy.
      Description	Provide a description to describe the strategy.
      Authentication server	Specify the authentication server. The available values are local, which is the default server or any other configured external authorization server.
      Audience	Provide a value or URI, the intended recipient of the authorization server scope. The application that receives the token verifies that the audience value is correct and rejects any tokens that are intended for a different audience.
      Generate Credentials	Enable the toggle button to generate the credentials required to identify the client application and provide the following information. Type. Select one of the client types, Public, or Confidential. Confidential. A confidential client is an application that can keep a client password confidential to the world. This client password is assigned to the client app by the authorization server. This password is used to identify the client to the authorization server to avoid fraud. An example of a confidential client might be a web app, where no one but the administrator can get access to the server, and see the client password. Public. A public client is an application that is not capable of keeping a client password confidential. For instance, a mobile phone application or a desktop application with the client password embedded inside it. Such an application might get cracked, and might reveal the password. The same is true for a JavaScript application that runs in the users browser. The user can use a JavaScript debugger to look into the application, and see the client password. Application type. Specify the application type. WEB. A web application is an application that runs on a web server. In reality, a web application typically consists of both a browser part and a server part. The client password can be stored on the server and thus makes the password confidential. USER_AGENT. A user agent application is, for instance, a JavaScript application that runs on a browser. The browser is the user agent. A user agent application can be stored on a web server, but the application runs only in the user agent after it is downloaded. NATIVE. A native application is, for instance, a desktop application or a mobile phone application. Native applications are typically installed on the users computer or device (phone, and tablet). Thus, the client password is stored on the users computer or device too. Token lifetime. Specify the token lifetime in seconds for which the token is active. Token refresh limit. Specify the time in seconds for which the token refresh is applicable. Redirect URIs. Specify the URIs that the authorization server can use to redirect the resource owner's browser during the grant process. You can add multiple URIs by clicking +Add. Grant type. Specify the grant type to be used to generate the credentials. Available options are Authorization code, Implicit, Resource owner, and Client credentials. Scopes. Select the scopes that are to be associated to the generated client. Note: In webMethods API Gateway 10.2, the scopes are automatically created when you associate an API to an application. For webMethods API Gateway 10.3 and higher versions, you must select scopes from the authorization server that have to be associated with the strategy.
      Client id	Specify the Client identifier that identifies the client application in the authorization server to map the client to the webMethods API Gateway application. This parameter is required if you do not choose to generate credentials to identify the client application.

15. Click Add. The strategy is configured and listed in the Strategies table.
    Note: You can generate a new Client ID and Client Secret for an existing strategy. However, after the credentials are generated for a strategy, it can no longer be removed. The Generate credentials toggle is disabled in the UI when you update a strategy.
16. Click Save.
    The application is created and listed in the list of applications in the Manage applications page after an approval.