Consumer applications

Edit online

An application defines the precise identifiers by which messages from a particular application are recognized at run time. The identifiers can be, for example, username in HTTP headers, a range of IP addresses, such that webMethods API Gateway can identify or authenticate the applications that request an API.

The ability of webMethods API Gateway to relate a message to a specific application enables it to do the following functions.

  • Control access to an API at run time (that is, allow only authorized applications to invoke an API).
  • Monitor an API for violations of a Service-Level Agreement (SLA) for a specified application.
  • Indicate the application to which a logged transaction event belongs.

An application has the following attributes for specifying the identifiers.

  • IP address, which specifies one or more IP addresses that identify requests from a particular application. For example, 192.168.0.10 This attribute is queried when the Identify and Authorize Application policy is configured to identify applications by using IP address.
  • Claims set, which specifies one or more claims that identify requests from a particular application. The claims are a set of name-value pairs that provide sufficient information about the application. For example, sub = Administrator. This attribute is queried when the Identify and Authorize Application policy is configured to identify applications by using a JWT token or an OpenID token.
  • Client certificate, which specifies the X.509 certificates that identify requests from a particular application. This attribute is queried when the Identify and Authorize Application policy is configured to identify the applications by a client certificate.
  • Identification token, which specifies the hostnames, usernames or other distinguishing strings that identify requests from a particular application. This attribute is queried when the Identify and Authorize Application policy is configured. The attribute helps to identify applications by hostname, token, HTTP username, and WSS username.

You can configure various authentication strategies to authenticate an incoming request to the application. You can create multiple strategies, which the API authorizes for an application. These strategies provide multiple authentication mechanisms or multiple authorization servers for a single authentication scheme. For example, for an OAuth authentication scheme, you want the application to support both OKTA and PINGFederate or OKTA with multiple tenants. For the application to support both OKTA and PINGFederate or OKTA with multiple tenants you can configure a OAuth strategy for the application.

If you have the Manage Application functional privilege, you can create and manage applications, and register applications with the APIs.

The high-level stages to manage and use an application are as follows.

  1. API developers request the webMethods API Gateway administrators to create an application for access that depends on the identification criteria.
  2. webMethods API Gateway provider or administrator validates the request and creates a new application, there by provisioning the application-specific access tokens (API access key and OAuth credentials).
  3. API Developer, upon finding a suitable API, sends a request to webMethods API Gateway for consumption by providing the application details.
  4. After a request is validated, the webMethods API Gateway provider or administrator associates the application with the API. Keys are generated for applications and not for every API that the application consumes.
    Note: The requesting application handles the approval process, if any. API Gateway does not handle the approval process.
  5. The API developer can then use the application with the proper identifier (such as the access key or identifier) to access the API.

API key expiration date

An webMethods API Gateway application has an optional expiration date for its API key. When the API access key expires, the application cannot be identified. The webMethods API Gateway Administrator can configure the apiKeyExpirationPeriod parameter from the Extended settings page. If the expiration date is not specified, then the API key never expires.

Suspended Applications

You can suspend applications to disable the identification of requests temporarily. If a suspended application is identified when a request is being processed, the request is rejected with HTTP 403 (Forbidden) error. The response body has the following content.


Application has been identified but it is currently suspended. Contact
the webMethods API Gateway administrator for further details.

You can resume the suspended applications to enable the identification again.