API Visibility, Licenses, and Settings
Manage API visibility, configure license scope to determine what licenses will be offered for the API, and manage settings relating to API access.
API Platform Version: 8.1 and later
Table of Contents
- What is the difference between Sandbox and Live implementations?
- What is auto-connect?
- How do I set up auto-connect for my API?
- How do I set up my API to allow anonymous access?
- How do I determine what licenses will be available for my API?
- How do I edit the license on an API access request?
- What is scope mapping and how do I set it up?
- How do I inform app developers about available licenses and API access?
- I want to exclude an operation so app developers can't use it. How do I do that?
- What is a private API?
- How do I manage API visibility?
- How does the API visibility option work?
- What API License visibility options are supported for Groups?
- How do I edit the API visibility scope for a Group (API Administrator)?
- How do I create an API Context Group?
- What happens after I accept an invitation to an API Context Group?
- What about API documentation visibility?
- Related Topics
What is the difference between Sandbox and Live implementations?
Each implementation is configured by the API Admin; each has unique endpoints. A common scenario is outlined below:
- The Sandbox endpoint is a unique gateway URL that provides access to the API's Sandbox implementation—generally used for testing. App developers must request access; in some cases, Sandbox access might be auto-approved.
- The Live implementation is generally used for production traffic, for real transactions rather than testing. Often, the Live implementation has additional policies and security applied. However, the features of each endpoint are completely configurable.
What is auto-connect?
The platform's auto-connect feature allows an API Admin to set up the API so that when a new app is created on the platform, a contract with the API is created automatically. The API Admin specifies the details of the access granted with the auto-connect feature, such as whether access is to the Sandbox or Live implementation, or whether access is limited to specific operations or a specific transaction volume (via the Licenses feature, implemented with scope mapping).
You can change the auto-connect details for your API at a later time; however, be aware that if contracts have already been created, those will continue unless you specifically end them.
If your API uses licenses, it's important to set up scope mapping for your API before setting up the auto-connect feature, since the auto-connect settings reference the scope mapping settings.
For instructions on setting up auto-connect for your API, see How do I set up Auto-Connect for my API? below.
How do I set up auto-connect for my API?
If you want to grant new apps automatic access to your API, you'll want to set up the auto-connect feature.
Note: If your API is using licenses, set up scope mapping first. Then, follow the instructions below.
To set up auto-connect for an API:
- Go to the Details page for the API.
- From the drop-down list at the top right, choose Auto-Connect.
- In the Set Up Auto-Connect Settings page, check one or more boxes to indicate environment for auto-connect contracts: Live, Sandbox, or both.
- Conditional: if your API uses the Licenses feature, a list of scopes is displayed for any environment you selected. Check one or more scopes that you want to allow for an auto-connect contract, for each environment selected.
- Click Finish.
How do I set up my API to allow anonymous access?
The platform supports app developers testing an API without choosing a specific app (anonymous context).
In order for developers to be able to test your API in this way, you must have some settings in place:
- API setup, Proxy tab: Allow Anonymous Access is set to Yes.
- API setup, Proxy tab: This API Requires Approval is set to No.
- API setup, Proxy tab: there are no security policies added to the API.
- API setup, API tab: if the API uses licenses, make sure the licenses do not use any private scopes.
How do I determine what licenses will be available for my API?
There are a couple of steps you'll need to complete in your API setup to define the licenses that app developers will see when requesting access to your API:
- In your API setup, make sure that the Use Licenses box is checked. On the API Details page, from the drop-down list at the top right, choose Manage Licensing.
- Map scopes as needed. For instructions, see To perform scope mapping.
The scopes are the link between your API and the licenses that are offered to app developers. If you have any questions regarding which scopes to assign or which licenses will be available, consult your Business Admin.
For an overview of the Licenses feature and the relationship between the setup steps performed by the Business Admin and those done by the API Admin, and the relationship between scopes and licenses, see Licenses: Feature Overview.
How do I edit the license on an API access request?
An API Administrator can change the license for a specific API Access Request prior to approving the request.
If you want to review the license scope of API access requests before approving, make sure you've selected the This API requires approval option in the API setup. If the API is set to auto-approve requests, you won't have the opportunity to modify the license.
To edit the license scope for a pending API access request:
- Go to APIs > Apps.
- Select the API Access Request you want to modify. It must have a status of Access Pending.
- Click Edit. The API Access Wizard launches and loads the Licenses page.
- Change the license option as needed.
- Click through the rest of the wizard and then click Save.
What is scope mapping and how do I set it up?
If your API is using the Licenses feature, scope mapping is the key to defining which portions of your API will be available for which licenses. The scopes and licenses themselves are defined by the Business Admin, but at the API level you determine which operations are assigned to which scopes. This in turn determines which licenses will be available to app developers requesting access to your API.
For example, let's say your API includes a set of operations relating to calendar functionality and another set of operations relating to email access and management. App A might only need access to the calendar functionality, and App B might include an email client and might require access to the operations relating to email. The scope mapping feature enables you to group individual operations into logical groups that can be separately packaged into a license for App A and another for App B.
As another example, let's say you want to offer access to your GET operations, and a higher level of access, for a fee, to all operations including add, modify, and delete. The Business Admin defines READ and MODIFY scopes, and then assigns each to a separate license. The API Admin assigns GET operations to the READ scope and assigns all operations to the MODIFY scope. Users who choose the paid license get access to all scopes; users who choose the free license can only access the GET operations.
At runtime, when a request is received to an API proxy from a particular app, the request is only passed through to the API if it is using one of the specific operations covered by the license governing the API contract.
To perform scope mapping:
- First, make sure the Licenses feature is enabled in the API. On the API Details page, from the drop-down list at the top right, choose Manage Licensing. On the Manage Licensing page, make sure the Enable Licensing for API check box is checked. If it isn't, check the box.
- Choose a scope mapping approach:
- API-Wide Mapping: choose this if you're not subdividing your operations for licensing purposes.
- Operation-Specific Mapping: choose this if you'll want to grant access to some portions of your API separately.
- Operation-specific mapping only: For each operation, in the Scope column, click Select. The Select Scope popup displays. Choose one or more scopes for the operation and click Confirm. If you assign scopes to an operation, all apps with licenses that include one of those scopes can use the operation. If no scopes are defined for an operation, it means that no scopes are needed for that operation (the least secure scenario).
- Repeat for each operation.
- Click Save.
How do I inform app developers about available licenses and API access?
As a standard practice, a list of available Licenses and the level of App Access provided by each License should be included in the documentation for your API.
I want to exclude an operation so app developers can't use it. How do I do that?
You might have one or more operations that are part of your API but you don't want to make them available for app developers. Perhaps they are still under development or being tested.
If you want to make sure no app can access these operations, the best way to do it is with scopes and licenses. You can use a scope that isn't assigned to any license, and use the API scope mapping wizard to assign that scope to the operation. When you're ready to share the operation, you can update the scope assignments, assigning a scope that's assigned to a license so that app developers can choose to access it.
What is a private API?
A private API is one that has a visibility setting such that it is visible only to platform users who are members of one or more groups that have been specifically invited to have visibility of the API.
In the platform, any API or other resource that is private is shown with a "lock" icon to indicate privacy.
How do I manage API visibility?
When you create an API using the Create a New API function you can control visibility of the API. You can change API visibility as needed.
To change API visibility
- Go to the Details page for the API.
- Click the Edit button.
- On the right, click to view the Advanced Options section.
- Change the visibility setting as needed. Valid values:
- Public: All users can see the API, whether logged in or not. The API is searchable, and displays in the All APIs search filter.
- Private: Only invited users and groups can see the API. It is visible to the creator, to all API Admins, and to individuals that are members of a group that is invited to have visibility of the API. The API name displays on the API Overview page with a lock icon indicating that it is private.
- Registered Users: All users who are logged in can see the API. To registered users, the API is searchable, and displays in the All APIs search filter.
- Click Save.
How does the API visibility option work?
The My APIs > choose API > Visibility menu option allows API Administrators to control who can see the API and its associated resources such as documentation and downloadable files. The API Admin can invite groups to have visibility of the API resources. The following group visibility scenarios are supported:
No Private Scopes.
|API is Public; everyone can see it
Some Private Scopes
|API is Public but some Scopes of the API are defined as Private.
|Visibility: Registered Users
No Private Scopes.
|All users who are logged in can see the API.
|Visibility: Registered Users
Some Private Scopes
|All users who are logged in can see the API, but some Scopes of the API are defined as Private.
No private Scopes
|API is Private.
Some Private Scopes
|API is Private.
What API License visibility options are supported for Groups?
The My APIs > choose API > Visibility page displays a list of API Groups that are members of the current API.
- If you want to manage the visibility of Licenses that an API Group can see for an API Version, you can configure the visibility using the Edit Scope function.
- Note that when an API Group is invited to an API Version, only Public Scopes will be included in the scope.
Note: the API Administrator can update the license scope configuration for Group Visibility at any time prior to the API Access Request being approved by the API Administrator. Once the API Access Request is approved the Edit Scope function is disabled.
The following license scope levels are supported.
|Unrestricted Access||This option implies all of the API documentation/Downloads will be visible to an API Group. All licenses will be available to select as an API Access Request scope when requesting API access for an app.|
|Restricted Access||This option gives the API Group a set of licenses as part of the visibility scope. A selection of Licenses are presented that can be made visible to a Group by clicking the check box.|
To configure license visibility for an API Group:
- Navigate to My APIs > choose API > Visibility > Groups. The Groups Summary page displays.
- Select the Group you want to edit the scope for and click Edit Scope. The Edit Scope pop-up menu displays.
- Based on your visibility requirements, click the Unrestricted Access or Restricted Access radio button. Click OK to commit your changes.
How do I edit the API visibility scope for a Group (API Administrator)?
An API Administrator can change the API license visibility for a specific Group.
To edit the license scope for Groups:
- Go to APIs > choose API > Visibility > Groups. The Groups Summary page displays.
- Select a group from the listing and click Edit Scope. The Edit Scope page displays.
- Click the radio button of the License access option you want to assign to the current Group. The following options are available:
License Option Description Unrestricted Access This option implies all of the API documentation/Downloads will be visible to an API Group. All licenses will be available to select as an API Access Request scope when requesting API access for an app. Restricted Access
This option gives the API Group a set of licenses as part of the visibility scope. Click the check box to select the Licenses you want to make visible to the current Group.
- Click Save to commit your changes.
How do I create an API Context Group?
If you've added a Private API (visibility = Private), the platform provides an API Context Group collaboration function via the API > Visibility > Groups page. For more information about working with groups, see Groups.
What happens after I accept an invitation to an API Context Group?
If you receive an invitation to an API Context Group, and accept the invitation:
- You become an API Context Group member.
- The API is visible in the My APIs section.
- The Access function is available on the API > Overview page of the API.
- If you are a Leader of the API Context Group, the Groups page in the APIs section displays your group membership (with Leader role), and a list of members you have personally invited to the API Context Group.
What about API documentation visibility?
If your API has restricted visibility, users who don't have visibility of the API will not see your API documentation.
If your API uses licenses, users who have visibility of the API as a whole might not have access to certain operations, depending on the licenses they've selected. In this scenario, you'll need to apply special tags to your API documentation to make sure that users will see the documentation they have access to. By default, untagged API doc content is hidden.
For information on tagging your API documentation, including the different types of tags available, implementation suggestions, and examples, see API Documentation Tagging.
Tip: If you don't care about hiding portions of your API documentation, see My API uses licenses, but I just want my documentation to be visible to everyone. What's the easiest way to set that up?