AnsweredAssumed Answered

API Access Control using OTK

Question asked by Kareem.shaik7 on Feb 14, 2017
Latest reply on May 3, 2017 by Stephen_Hughes



We are using OTK for authentication and authorization.


Assume we have two APIs 




Both APIs are published to Portal. Two applications are created in Portal.


   API-POST is added to this application.


   API-GET is added to this application.


There are two developers who can log in to portal and subscribe for APIs

Developer1: Subscribed to Application 1

      OAuth Credentials: ClientId1, SecretKey1

Developer2: Subscribed to Application 2.

      OAuth credentials: ClientId2, SecretKey2


Developers use OAuth keys to generate access token from OTK API and use this token to authenticate the actual APIs 

Developer1 is able to view only API-POST from the portal and get all the details required to call API.

Similarly, Developer2 can view API-GET and is unaware of API-POST.


but what we have observed is developer1 access API-GET with a token generated using his clientId1 and ClientId2 even though he is restricted at Portal. Same for developer2. 


So anyone with a valid access token can call all the APIs of Gateway even if they were restricted at the portal.

Is it a serious security threat? Do we have any configuration where we can control the access to the users as same as Portal?