New features in WSO2 APIM 3.0 — GraphQL

Krishni Andradi
Nov 28, 2019 · 6 min read

Exposing GraphQL endpoint as a Managed API.

WSO2 API Manager 3.0

WSO2 API Manager is a fully open-source product that enables exposing APIs in a managed way. So that it will manage APIs security, access-control, throttling, lifecycle, API documentation, monetization and so on.

When it comes to API Manager 3.0 it comes with a new set of powerful features, so that they will support most upcoming stable technologies as well as security requirements.

The following are those new features.

  • Creating Publishing and Subscribing GraphQL API
  • Mutual SSL
  • Schema validation
  • API Monetization
  • Bot detection
  • API products
  • Enhanced CI/CD pipeline
  • Re skinned React JS based portals
  • Kubernetes operator

What is GraphQL?

GraphQL is a query language for APIs which enables fetching the exact amount of data (no under fetching and over fetching) that the user wants to fetch.

If you are not familiar with GraphQL you can practice and play around with it using GraphQL playground.

Open graphQL playground and copy the following URL in the GraphQL playground URL section. Now GraphQL playground will automatically generate the schema for GraphQL API.

When you click on the Schema button, you can view the generated schema and you can add any query to the left side console and view that queries output on the right side.

Download the schema and edit it to remove its comments. this will be useful when we create API using the WSO2 API Manager product.

Creating GraphQL API and publishing

At this point I hope that you have a WSO2 API Manager instance up and running as well you are familiar with WSO2 APIM publisher, WSO2 APIM dev portal and WSO2 APIM admin portal.

First, go to APIM Publisher and click on Create API > I have GraphQL SDL schema

Then upload the GraphQL schema definition file. And proceed to the next step where you have to specify the API name, context, version, endpoint, and business plan. Fill them as follows.

Name : CountryAPI


Version: 1.0.0


Business Plan: Unlimited

Now click on Create. Now you are done with Creating GraphQL API.

Now you may need to change any Design configurations, Runtime configurations, Endpoints and any other change you can do them by traversing the elements in the left side panel.

Adding access control

In WSO2 API Manager, we can limit access control based on Roles.

To do that first, we need to define scopes and assign roles to those scopes. And then we can limit our resource access to a particular scope.

Creating a scope

Go to scopes, and click on Create Scopes. Then specify scope name, description and, roles. Then save

Then go to operations, and assign a scope to the resource by selecting the correct scope, in the drop-down list of scopes near the resource name.

Then save the API.

Manage security of APIs

Go to operations.

Enabling and disabling security token can be done by clicking on Security enabled features in the individual resources. You can ON and OFF security token from there.

Then click Save to make changes effective.

Enforcing throttling policies

To enforce throttling policies again go to the Operations section, and select the correct rate limiting level in the operations configurations section.

If you are going with API level rate limiting select a correct rate-limiting policy by selecting from the drop-down in Operations configurations.

If you need to enable operation level rate limiting, click the option on operation level and select a matching rate-limiting policy for each operation near the operation.

Save changes.

Now you have enabled all the security, rate limiting, and access control as you expect.

Now goto Lifecycle section and click on Publish to publish our API.

Create Applications, Subscribing to API and Consuming

Now if you go to the developer portal, you will see our GraphQL endpoint is published. It will have that sky blue color GRAPHQL label to identify your graphQL API.

Now login to the developer portal and open your API, which you want to use.

Now you can follow either Key Generation Wizard or Subscribe to an Application to generate a key token.

Key generate wizard will walk you through, New application creation, Subscribe to the new application, Generate Keys, Generate Access token and Copy Access token. This way is easier if you are going to subscribe to an API, using a new application.

But if you want to subscribe to the API using an existing application you should follow Subscribe to Application flow.

Now you will be redirected to the API Credentials section.

Here you can subscribe to your API using an exiting application.

If you already have a subscription you can regenerate can copy sandbox and production keys. Then generate the token and copy that token to the clipboard.

Now go to the Try Out section, and copy the access token to the access token section. this tries out section is an integrated console to try out your APIs.

Now try out the API you want.

The request payload should be given as follows:


Here inside double quotes, you have to specify the exact query which you used in the graphQL playground when you are querying.

If you have specified any operation to be executed without access token as described in Manage security of APIs, it should work without the above access token. Try removing the access token and testing.

To test throttling you need to generate traffic as you have specified in the Rate limiting policy.

To check access control, try executing the API you specified scope. It will give you an error. But when you are generating the access token, if you specified the scope, as well as if you are login in as a person who has that role, it won’t give you an error as your access token falls under that scope.


GraphQL is a powerful query language to fetch data. Because of its ability to fetch data exactly, the amount of user needs it is becoming popular. Now WSO2 API manager helps them to exposes those APIs in a managed way as well.

This article is prepared based on following the webinar, which explains all the required information.

Thank You

WSO2 Solution Architecture Team Blog

Solutions Architecture (SA) team @ WSO2 help customers to…

WSO2 Solution Architecture Team Blog

Solutions Architecture (SA) team @ WSO2 help customers to solve their business problems using open source tools. SA team is working with many customers on different industry verticals recommending, designing and deploying production systems

Krishni Andradi

Written by

WSO2 Solution Architecture Team Blog

Solutions Architecture (SA) team @ WSO2 help customers to solve their business problems using open source tools. SA team is working with many customers on different industry verticals recommending, designing and deploying production systems