Providing APIs in the Developer Portal

Red Hat 3scale 2-saas

A properly configured Developer Portal provides plenty of functionalities for API management.

Red Hat Customer Content Services


This guide documents the uses of the Developer Portal on Red Hat 3scale 2-saas.


This guide provides information about features and functionalities to boost your Developer Portal.

Part I. OpenAPI Specification (OAS)

Chapter 1. Creating a new service based on OAS

1.1. Introduction

This documentation outlines the features of OpenAPI 2.0 specification (OAS) in Red Hat 3scale 2-saas and provides steps to update an existing service or create a new one.

1.2. Prerequisites

  • OpenAPI Specification (OAS)
  • A 3scale 2-saas instance tenant credentials (token or provider_key)

1.3. Features of OpenAPI Specification


ActiveDocs are created/updated when importing OpenAPI (OAS)

  • Service’s system_name can be passed as an option parameter and defaults to info.title field from OAS.
  • Methods are created for each operation from the OAS.

    • Method names are taken from operation.operationId field.
  • All existing mapping rules are deleted before importing a new API definition.

    • Methods will be not deleted if they exist before running the command.
  • Mapping rules are created on each operation from the OAS.
  • The OpenAPI definition resource can be provided by one of the following channels:

    • Filename in the available path
    • URL format - toolbox will try to download from given address.
    • Read from stdin standard input stream.

1.4. Using OpenAPI Specification

    openapi - Import API definition in OpenAPI specification

    3scale import openapi [opts] -d <dst> <spec>

    Using an API definition format like OpenAPI, import to your 3scale API

       -d --destination=<value>                   3scale target instance.
                                                  Format: "http[s]://<authentication>@3scale_domain"

 -t --target_system_name=<value>            Target system name

    -c --config-file=<value>                      3scale toolbox
                                                  configuration file
    -h --help                                     show help for this command
    -k --insecure                                 Proceed and operate even
                                                  for server connections
                                                  otherwise considered
    -v --version                                  Prints the version of this

1.4.1. Detecting OpenAPI definition from the filename path

The allowed formats are json and yaml. The format is automatically detected from filename extension.

$ 3scale import openapi -d <destination> /path/to/your/spec/file.[json|yaml|yml]

1.4.2. Detecting OpenAPI definition from a URL

The allowed formats are json and yaml. The format is automatically detected from URL’s path extension.

$ 3scale import openapi -d <destination> http[s]://domain/resource/path.[json|yaml|yml]

1.4.3. Detecting OpenAPI definition from stdin

The command line parameter for the OpenAPI resource is -.

The allowed formats are json and yaml. The format is automatically detected internally with parsers.

$ tool_to_read_openapi_from_source | 3scale import openapi -d <destination> -

Part II. API documentation

Chapter 2. Update To ActiveDocs 2.0


The details of this section are for reference only. This option is no longer supported and you should consider migrating away from this configuration at the earliest opportunity.

By the end of this tutorial, you will know what changes you need to make to your ActiveDocs configuration to successfully upgrade to version 2.0.

For instructions applicable to the configuration of ActiveDocs 2.0, you can refer to Adding Specifications to 3scale. Detailed spec-related differences can be found on the official Swagger 1.2 to 2.0 Migration Guide. This article simply documents the extra steps to upgrade to ActiveDocs 2.0.


If your ActiveDocs spec is still in version 1.0, then please first convert it to version 1.2.

2.1. Step 1: Apply the appropriate naming convention to your specification

Navigate to the API → ActiveDocs tab in your Admin Portal. This will lead you to the list of your service specs. You should have already added a service spec (see Create a service specification).

Naming your specification

You should apply appropriate names to achieve the desired effect in your Developer Portal – the heading of your ActiveDocs API listing will appear as "System name: Description". You may need to recreate the spec again simply by copying the JSON spec and other fields, as the system name is read-only.

2.2. Step 2: Modify service spec

The specification for ActiveDocs 2.0 has some important changes to those for version as compared to version 1.2. See the Swagger 1.2 to 2.0 Migration Guide for detailed information. The most important changes are:

  • the "swaggerVersion": "1.2" root element is now "swagger": "2.0" and it is a required field.
  • The "info" object becomes required.
  • The "apiVersion": "1.0" becomes required and is now part of the "info" object: "info": { "version": "1.0", …​ }
  • The description in the "info" object becomes non-mandatory.
  • The license name field becomes required if "license" object is present.
  • The "basePath": "" field is split into three fields: "host": "", "basePath": "/api" and "schemes": [ "http" ]. None of these fields is mandatory.

2.3. Step 3: Add the Javascript and HTML content to your CMS page

Add the following code snippet to your CMS page, where SERVICE_NAME should be the system name of the service spec.

<p>Use our live documentation to learn about Echo API </p>
{% active_docs version: "2.0" services: "SERVICE_NAME" %}
<script type="text/javascript">
  $(function () {
    {% comment %}
    // you have access to swaggerUi.options object to customize its behaviour
    // such as setting a different docExpansion mode
    window.swaggerUi.options['docExpansion'] = 'none';
    // or even getting the swagger specification loaded from a different url
    window.swaggerUi.options['url'] = "";
    {% endcomment %}


If you want to include multiple Swagger specs on one page, you may use this customized snippet:

{% active_docs version: "2.0" services: "oauth" %}

<script type="text/javascript">
  $(function () {
    window.swaggerUi.load(); // <-- loads first swagger-ui
     // do second swagger-ui
     var url = "/swagger/spec/sentiment.json";
    window.anotherSwaggerUi = new SwaggerUi({
      url: url,
      dom_id: "another-swagger-ui-container",
      supportedSubmitMethods: ['get', 'post', 'put', 'delete', 'patch'],
      onComplete: function(swaggerApi, swaggerUi) {
        $('#another-swagger-ui-container pre code').each(function(i, e) {hljs.highlightBlock(e)});
      onFailure: function(data) {
        log("Unable to Load Sentiment-SwaggerUI");
      docExpansion: "list",
      transport: function(httpClient, obj) {
        log("[swagger-ui]>>> custom transport.");
        return ApiDocsProxy.execute(httpClient, obj);

2.4. Step 4: Test your API using ActiveDocs 1.2

  • Remember to enable Liquid tags on your CMS configuration page.

    Enable Liquid tags
  • Finally, while in the preview mode, close the right-hand vertical sidebar to see ActiveDocs 2.0.

The new styles are compliant with the newer Swagger spec (2.0). If you would like to change the look and feel, you would have to override the styles. Since the CSS for Swagger is included together with the HTML, you would have to define the styles with a higher specificity or with the !important tag.

Chapter 3. Adding specifications to 3scale

By the end of the section, you will have ActiveDocs set up for your API.

3scale offers a framework to create interactive documentation for your API.

With OpenAPI Specification (OAS) 2.0 (based on the OpenAPI Specification (OAS)) you will have a functional documentation for your API, which will help your developers explore, test and integrate with your API.

3.2. Create a service specification

When you add a new service spec, you will have to provide:

  • Name
  • System name (required to reference the Servcie specification from the Developer Portal)
  • Whether you want the specification to be public or not
  • A description that is only meant for your own consumption
  • API JSON spec, which you can see in the figure below.

The API JSON specification is the "secret ingredient" of ActiveDocs.

You must generate the specification of your API according to the specification proposed by OpenAPI Specification (OAS). In this tutorial we assume that you already have a valid OpenAPI Specification (OAS) 2.0-compliant specification of your API.

Create a Service specification for ActiveDocs

3.3. Working with your first ActiveDoc

Once you have added your first ActiveDoc, you can see it listed in [your_API_name] → ActiveDocs. You can edit it as necessary, delete it, or switch it from public to private. You can also detach it from your API or attach it to any other API. You can see all your ActiveDocs (attached to an API or not) in Audience → Developer Portal → ActiveDocs

List of Service specifications for ActiveDocs

You can also preview what your ActiveDocs looks like by clicking on the name you gave the service specification (in the example it was called it Pet Store). You can do this even if the specification is not public yet.

This is what your ActiveDoc will look like:

ActiveDocs New specification View

Chapter 4. Create an OAS spec

This section will help you to create a OpenAPI Specification 2.0-compliant (OAS) specification for your RESTful API, which is required to power ActiveDocs on your Developer Portal. If you only would like to read the code, all the examples are on OAS Petstore example source code.

4.1. About OpenAPI Specification (OAS)

3scale ActiveDocs are based on the specification of RESTful web services called Swagger (from Wordnik). This example is based on the Extended OpenAPi SpecificationPetstore example and draws all the specification data from the OpenAPi Specification 2.0 specification document.

OAS is not only a specification. It also provides a full feature framework around it:

  1. Servers for the specification of the resources in multiple languages (NodeJS, Scala, and others).
  2. A set of HTML/CSS/Javascripts assets that take the specification file and generate the attractive UI.
  3. A OAS codegen project, which allows generation of client libraries automatically from a Swagger-compliant server. Support to create client-side libraries in a number of modern languages.

4.2. 3scale ActiveDocs and OAS

ActiveDocs is not a OAS replacement but an instantiation of it. With ActiveDocs, you don’t have to run your own OAS server or deal with the UI components of the interactive documentation. The interactive documentation is served and rendered from your 3scale Developer Portal.

The only thing you need to do is to build a Swagger-compliant specification of your API, add it on your Admin Portal, and the interactive documentation will be available. Your developers will be able to launch requests against your API through your Developer Portal.

If you already have a Swagger-compliant specification of your API, you can add it in your Developer Portal (see the tutorial on the ActiveDocs configuration).

3scale extended the OAS specification in several ways to accommodate certain features that were needed for our own interactive API documentation:

  • Auto-fill of API keys
  • OAS proxy to allow calls to non-CORS enabled APIs

4.3. Creating the specification of your API

We recommend that you first read the original specification from the original source: the OAS Specification.

On the OAS site there are multiple examples of specifications. If you like to learn by example, you can follow the example of the Petstore API by the OAS API Team.

4.3.1. Learning by example: the Petstore API

The Petstore API is an extremely simple API. It is meant as a learning tool, not for production.

The Petstore API is composed of 4 methods:

  • GET /api/pets - returns all pets from the system
  • POST /api/pets - creates a new pet in the store
  • GET /api/pets/{id} - returns a pet based on a single ID
  • DELETE /api/pets/{id} - deletes a single pet based on the ID

Because Petstore is integrated with 3scale API Management, you have to add an additional parameter for authentication – for example, the standard User Key authentication method (there are others) sent in the headers.

You need to add the parameters:

user_key: {user_key}

The user_key will be sent by the developers in their requests to your API. The developers will obtain those keys on your Developer Portal. On receiving the key, you must to perform the authorization check against 3scale using the Service Management API.

For your developers, the documentation of your API represented in cURL calls would look like this:

curl -X GET "" -H "user_key: {user_key}"
curl -X POST "" -H "user_key: {user_key}" -d "{ "name": "NAME", "tag": "TAG", "id": ID }"
curl -X GET "{id}" -H "user_key: {user_key}"
curl -X DELETE "{id}" -H "user_key: {user_key}"

However, if you want the documentation to look like the OAS Petstore Documentation, you must create a Swagger-compliant specification like the associated Petstore swagger.json file. You can use this specification out-of-the-box to test your ActiveDocs. But remember that this is not your API. You can learn more in the next section.

4.3.2. More on the OAS specification

The OAS specification relies on a resource declaration that maps to a hash encoded in JSON. Take the Petstore swagger.json file as an example and go step by step. OAS object

This is the root document object for the API specification. It lists all the highest level fields.


The host must be a domain and not an IP address. 3scale will proxy the requests made against your Developer Portal to your host and render the results. This requires your host and basePath endpoint to be whitelisted by us for security reasons. You can only declare a host that is your own. 3scale reserves the right to terminate your account if we detect that you’re proxying a domain that does not belong to you. This means that local host or any other wildcard domain will not work. Info object

The Info object provides the metadata about the API. This will be presented in the ActiveDocs page. Paths object

The paths object holds the relative paths to the individual endpoints. The path is appended to the basePath to construct the full URL. The paths may be empty, due to ACL constraints.

Parameters that are not objects use primitive data types. In Swagger, these are based on the types supported by the JSON-Schema Draft 4. There is an additional primitive data type "file" but it will work only if the API endpoint has CORS enabled (so the upload won’t go through api-docs gateway). Otherwise, it will get stuck on the gateway level.

Supported datatypes

Currently OAS supports the following dataTypes:

  • integer with possible formats: int32 and int64. Both formats are signed.
  • number with possible formats: float and double
  • string with possible formats (besides the unformatted version): byte, date, date-time, password
  • boolean

4.3.3. Useful tools

The JSON Editor Online is useful if you are very familiar with the JSON notation. It gives a pretty format to compact JSON, and it also provides a JSON object browser.

The OAS Editor is another useful tool. This enables you to create and edit your OAS API specification written in YAML in your browser and preview it in real time. You can also generate a valid JSON specification, which you can upload later in your 3scale Admin Portal. You can use the live demo version with limited functionality or deploy your own OAS Editor. Extension to the OAS specification: auto-fill of API keys

Auto-fill of API keys is a useful extension to the OAS specification in 3scale ActiveDocs. In the parameters, you can define the x-data-threescale-name field with the following values depending on your API authentication mode:

  • user_keys - returns the user keys for applications of the services that use API key authentication only.
  • app_ids - returns the IDs for applications of the services that use App ID/App Key (OAuth and OpenID Connect are also supported for backwards compatibility).
  • app_keys - returns the keys for applications of services that use App ID/App Key (OAuth and OpenID Connect are also supported for backwards compatibility).
  • client_ids - returns the client IDs for applications of the services that use OAuth/OpenID Connect authentication only.
  • client_sercrets - returns the client secrets for applications of the services that use OAuth/OpenID Connect authentication only.

API key authentication example

The following example shows using "x-data-threescale-name": "user_keys" for API key authentication only:

"parameters": [
    "name": "user_key",
    "description": "Your access API Key",
    "type": "string",
    "in": "query",
    "x-data-threescale-name": "user_keys",
    "required": true

App ID/App Key authentication example

For App ID/App Key authentication mode, specify "x-data-threescale-name": "app_ids" for the parameter that represents the application ID, and "x-data-threescale-name": "app_keys" for the parameter that represents the application key.

When you have declared your parameters, ActiveDocs will automatically prompt the ActiveDocs user to log in to the Developer Portal to get their keys as shown in the following screenshot:

Auto-fill when not logged-in

If the user is already logged in, ActiveDocs will show the latest five keys that could be relevant for them so that they can test right away without having to copy and paste their keys.

Auto-fill when logged-in

The x-data-threescale-name field is an extension to the OAS specification that will be ignored outside the domain of ActiveDocs.

Chapter 5. ActiveDocs & OAuth

By the end of this tutorial, you will have a set of ActiveDocs that will allow your users to easily test and call your OAuth-enabled API from one place.

If you have an OAuth-enabled API, you will want to show off its capabilities to your users. How can you do this using ActiveDocs? While this is a bit trickier than usual, it’s still possible.

5.1. Prerequisites

Before you begin, you’ll need to have a Red Hat Single Sign-On instance set up, and OpenID Connect integration configured. See OpenID Connect integration documentation for information on how to set it up. Additionally, you will need to be familiar with how to set up ActiveDocs – see Add ActiveDocs and Create a (Swagger) spec.

5.2. Client credentials and resource owner flows

This first example is for an API using the OAuth 2.0 client credentials flow. This API accepts any path and returns information about the request (path, request parameters, headers, etc.). The Echo API is only accessible using a valid access token. Users of the API are only able to call it once they have exchanged their credentials (client_id and client_secret) for an access token.

In order for users to be able to call the API from ActiveDocs, they will need to request an access token. Since this is just a call to an OAuth authorization server, you can create an ActiveDocs spec for the OAuth token endpoint. This will allow you to call this endpoint from within ActiveDocs. In this case, for a client credentials flow, the Swagger JSON spec looks like this:

  "swagger": "2.0",
  "info": {
    "version": "v1",
    "title": "OAuth for Echo API",
    "description": "OAuth2.0 Client Credentails Flow for authentication of our Echo API.",
    "contact": {
      "name": "API Support",
      "url": "",
      "email": ""
  "host": "",
  "basePath": "/auth/realms/realm-example/protocol/openid-connect",
  "schemes": [
  "paths": {
    "/token": {
      "post": {
        "description": "This operation returns the access token for the API. You must call this before calling any other endpoints.",
        "operationId": "oauth",
        "parameters": [
            "name": "client_id",
            "description": "Your client id",
            "type": "string",
            "in": "query",
            "required": true
            "name": "client_secret",
            "description": "Your client secret",
            "type": "string",
            "in": "query",
            "required": true
            "name": "grant_type",
            "description": "OAuth2 Grant Type",
            "type": "string",
            "default": "client_credentials",
            "required": true,
            "in": "query",
            "enum": [

For a resource owner OAuth flow, you’ll probably also want to add parameters for a username and password, as well as any other parameters that you require in order to issue an access token. For this client credentials flow example, you’re just sending the client_id and client_secret – which can be populated from the 3scale values for signed-in users – as well as the grant_type.

Then in the ActiveDocs spec for our Echo API we need to add the access_token parameter instead of the client_id and the client_secret.

  "swagger": "2.0",
  "info": {
    "version": "v1",
    "title": "Echo API",
    "description": "A simple API that accepts any path and returns information about the request",
    "contact": {
      "name": "API Support",
      "url": "",
      "email": ""
  "host": "",
  "basePath": "/v1/words",
  "schemes": [
  "produces": [
  "paths": {
    "/{word}.json": {
      "get": {
        "description": "This operation returns information about the request (path, request parameters, headers, etc.),
        "operationId": "wordsGet",
        "summary": "Returns the path of a given word",
        "parameters": [
            "name": "word",
            "description": "The word related to the path",
            "type": "string",
            "in": "path",
            "required": true
            "name": "access_token",
            "description": "Your access token",
            "type": "string",
            "in": "query",
            "required": true

You can then include your ActiveDocs in the Developer Portal as usual. In this case, since you want to specify the order in which they display to have the OAuth endpoint first, it looks like this:

{% active_docs version: "2.0" services: "oauth" %}

<script type="text/javascript">
  $(function () {
    window.swaggerUi.load(); // <-- loads first swagger-ui

    // do second swagger-ui

    var url = "/swagger/spec/echo-api.json";
    window.anotherSwaggerUi = new SwaggerUi({
      url: url,
      dom_id: "another-swagger-ui-container",
      supportedSubmitMethods: ['get', 'post', 'put', 'delete', 'patch'],
      onComplete: function(swaggerApi, swaggerUi) {
        $('#another-swagger-ui-container pre code').each(function(i, e) {hljs.highlightBlock(e)});
      onFailure: function(data) {
        log("Unable to Load Echo-API-SwaggerUI");
      docExpansion: "list",
      transport: function(httpClient, obj) {
        log("[swagger-ui]>>> custom transport.");
        return ApiDocsProxy.execute(httpClient, obj);



Chapter 6. Publish ActiveDocs in the Developer Portal

By the end of this tutorial, you will have published your ActiveDocs in your developer portal.

Once you have added specifications to 3scale, it’s time to make it public and link it on your Developer Portal so it can be used by your API developers.

You’ll have to add the following snippet to the content of any page of your Developer Portal. This must be done through the CMS of your Developer Portal. Note that SERVICE_NAME should be the system name of the service spec, pet_store in the example.

<p>Use our live documentation to learn about Echo API</p>
{% active_docs version: "2.0" services: "SERVICE_NAME" %}
<script type="text/javascript">
  $(function () {
    {% comment %}
      // you have access to swaggerUi.options object to customize its behaviour
      // such as setting a different docExpansion mode
      window.swaggerUi.options['docExpansion'] = 'none';
      // or even getting the swagger specification loaded from a different url
      window.swaggerUi.options['url'] = "";
    {% endcomment %}
  • You can specify only one service on one page. If you want to display multiple specifications, the best way is to do it on different pages.
  • This snippet requires jQuery, which is typically already included in the main layout of your Developer Portal. If you remove it from there, make sure you add the jQuery dependency on the page with ActiveDocs.
  • Make sure you have Liquid tags enabled on the CMS page.
  • The version used in the Liquid tag {{ '{% active_docs version: "2.0" ' }}%} should correspond to that of the Swagger spec.
  • If you would like to fetch your specification from an external source, change the JavaScript code as follows:
$(function () {
 window.swaggerUi.options['url'] = "SWAGGER_JSON_URL";

You can see an example in the snippet in on line 14. Just make sure that this line is not inside the comments block.

Chapter 7. Upgrade Swagger UI 2.1.3 TO 2.2.10

If you are using a version of 3scale that contains Swagger UI 2.1.3, you can upgrade to Swagger UI version 2.2.10.

Previous implementations of Swagger UI 2.1.3 in the 3scale developer portal rely on the presence of a single {% active_docs version: "2.0" %} liquid tag in the Documentation page. With the introduction of support for Swagger 2.2.10 in 3scale, the implementation method changes to multiple cdn_asset and include liquid tags.


Previous versions of Swagger UI in 3scale will continue to be called using the legacy active_docs liquid tag method.

Perform the following steps to upgrade Swagger UI 2.1.3 to 2.2.10:

  1. Log in to your 3scale AMP admin portal
  2. Navigate to the Developer PortalDocumentation page, or the page in which you want to update your Swagger UI implementation
  3. In the code pane replace the {% active_docs version: "2.0" %} liquid tag with the following assets with the cdn_asset liquid tag and the new partial shared/swagger_ui:

    {% cdn_asset /swagger-ui/2.2.10/swagger-ui.js %}
    {% cdn_asset /swagger-ui/2.2.10/swagger-ui.css %}
    {% include 'shared/swagger_ui' %}
  4. By default, Swagger UI loads the ActiveDocs specification published in APIs > ActiveDocs. Load a different specification by adding the following window.swaggerUi.options line before the window.swaggerUi.load(); line, where <SPEC_SYSTEM_NAME> is the system name of the specification you want to load:

    window.swaggerUi.options['url'] = "{{provider.api_specs.<SPEC_SYSTEM_NAME>.url}}";

Chapter 8. APIcast self-managed (old version) and OAuth 2.0


The details of this section are for reference only. This option is no longer supported and you should consider migrating away from this configuration at the earliest opportunity.

SSL use is mandatory for all OAuth calls.

This document refers to OAuth for an old version of APIcast which consists of Nginx downloadable configuration files. Note that since May 2017, that version is no longer available in the GUI for new customers. For details on OAuth support in the latest version of APIcast, please see here.

This tutorial shows the necessary steps to set up APIcast self-managed with 3scale’s OAuth extensions to make APIcast act as an OAuth 2.0 provider.

Currently, only the authorization code (server-side) grant flow is available in APIcast. However, you can find config templates for all other flows on this GitHub repository.

8.1. Prerequisites

As 3scale doesn’t hold any details about the users that you authenticate, in order to integrate with 3scale using OAuth 2.0, we require that you handle user authentication on your side. To do this, you’ll have to provide the URL for a page where APIcast can send users to authorize an application. This page should be behind a login so that the user can be correctly identified and authenticated. Once the user has been authenticated and the application authorized, you should redirect back to APIcast with the outcome of the authorization grant from the user.

When APIcast redirects a user to the authorization URL, it will send the following parameters along with the request:

  • scope: the plan ID that the application belongs to. The application plan defines the scope in 3scale.
  • state: a hash value shared between APIcast and the API to identify request and ensure its authenticity.
  • tok: the value of the access token that will be given to the user if the application is authorized. The token will only be issued when it’s exchanged for an authorization code. If the authorization code is not exchanged, the access token will expire after 10 minutes.

If the user successfully identifies himself and authorizes the application, the authorization page should redirect to an endpoint on APIcast. By default this is located at /callback, but it can easily be changed within the APIcast config files to suit your needs.

Take a look and see how to set this up.

8.2. OAuth Configuration

To proceed with the installation, you’ll need to follow most of the same steps as with the basic APIcast Integration to configure your API and define your methods and enpdoints. You can find these steps in the link: Installing APIcast document. Additionally, you will need to make sure the following steps are followed:

8.2.1. Step 1: Edit Integration Settings

As per the screenshot below, you will need to set the "Production Deployment Option" to Self-Managed Gateway, as OAuth is not currently available on APIcast hosted.

OAuth APIcast Settings

On the same page, you will also need to set the "Authentication" to OAuth 2.0.

8.2.2. Step 2: Declare your OAuth Authorization Endpoint

This will be the url that your users are presented with when they need to log in to your service to authenticate themselves and provide consent.

The APIcast OAuth extension allows APIcast to act as an OAuth provider. However, you still need to provide an authorization endpoint for users to authenticate themselves and approve/reject third-party application access. This authorization endpoint should be behind a login so a user can be identified and authenticated. Once the approval is done, you will need to redirect your logged in user to the callback endpoint on APIcast, so it can take care of the rest of the workflow.

8.2.3. Step 3: Download the APIcast config files

3scale automatically generates all the files needed to use APIcast as your API gateway and OAuth provider based on the data you input into the integration page. Once you have entered all the required information, you can download these files and install them on your own APIcast instance. The zip file downloaded will contain a separate *.lua file for each service defined as well as lua files to support the OAuth handshake and a nginx_\*.conf file which is shared across services.

If you have multiple services defined, the user downloading the configuration files will receive a zip file where the Lua files will only contain Service tokens corresponding to the services that they have access to. This way the Provider Key is kept secret to full admins only.

8.3. Running your self-managed APIcast instance (production)

If you’re familiar with NGINX, it shouldn’t take you long to get APIcast up and running locally. Note that your NGINX installation must have the Lua plugin, and for some of the OAuth 2.0 grant types, you must also have Redis installed on your server.

If you’re not familiar with NGINX, we recommend you install OpenResty, a fantastic web application, which is basically a bundle of the standard NGINX core with almost all of the third-party NGINX modules that you’ll need built in.

8.3.1. Step 1: Install the dependencies (for Ubuntu)

For Debian/Ubuntu linux distribution you should install the following packages using apt-get:

sudo apt-get install libreadline-dev libncurses5-dev libpcre3 libpcre3-dev libssl-dev perl
sudo apt-get build-dep nginx

For different systems, check out the OpenResty documentation.

8.3.2. Step 2: Compile and install OpenResty

Download the code and compile it, change VERSION with your desired version (we usually recommend running the latest stable version.)

tar -zxvf ngx_openresty-VERSION.tar.gz
cd ngx_openresty-VERSION/

./configure --prefix=/opt/openresty --with-luajit --with-http_iconv_module -j2

make install

At this point, you have NGINX and Lua installed using the OpenResty bundle.

8.3.3. Step 3: Install Redis

Download and install Redis on APIcast server (we recommend to always use the latest stable version.)

tar zxvf  redis-VERSION.tar.gz
cd redis-VERSION
sudo make install

In order to to install and run the Redis server, run the following, accepting all the default values:

sudo ./utils/

8.3.4. Step 4: Download the APIcast configuration from 3scale

Please note that only the authorization code (server-side) grant flow configs are currently available for download from the Integration page. However, you can find configuration templates for all other flows on our GitHub repository here.

Download the APIcast configuration files from 3scale by clicking the Download button. This will give you a zip file with six files inside:

  • authorize.lua - This file contains the logic for authorizing the client, redirecting the end_user to the OAuth login page, generating the access token, and checking that the return URL matches the one specified by the API buyer. It runs when the /authorize endpoint is hit.
  • authorized_callback.lua - This file contains the logic for redirecting an API end user back to the API buyer’s redirect URL. As an API provider, you’ll need to call this endpoint once your user successfully logs in and authorizes the API buyer’s requested access. This file gets executed when the /callback endpoint is called by your web application.
  • get_token.lua - This file contains the logic to return the access token for the client identified by a client_id. It gets executed when the /oauth/token endpoint is called.
  • nginx_*.conf - The .conf is a typical NGINX config file. Feel free to edit it or to copy/paste it into your existing .conf if you are already running NGINX.
  • nginx_*.lua - This file contains the logic that you defined on the web interface to track usage for various metrics and methods.
  • threescale_utils.lua

8.3.5. Step 5: Start and stop APIcast

The only thing left to do is start APIcast. There are many ways to do this, but the most straight-forward is:

sudo /opt/openresty/nginx/sbin/nginx -p /opt/openresty/nginx/ -c /opt/openresty/nginx/conf/YOUR-CONFIG-FILE.conf

The example assumes that the working directory of APIcast is /opt/openresty/nginx which is the path you passed during the installation to configure --prefix=/opt/openresty. You can change it, but be aware of the user privileges.

The example also assumes that the .conf generated by 3scale is placed at /opt/openresty/nginx/conf/. Of course, you should place the files and the directories at the location that best suits your production environment, as well as to start and stop the process as a system daemon instead of by executing the binary directly.

To stop a running APIcast instance:

sudo /opt/openresty/nginx/sbin/nginx -p /opt/openresty/nginx/ -c /opt/openresty/nginx/conf/YOUR-CONFIG-FILE.conf -s stop

The option -s let you pass a signal to nginx. The process that will be stopped is the one whose .pid is stored in /opt/openresty/nginx/logs/

The APIcast logs are in the same directory by default: /opt/openresty/nginx/logs/. Check the error.log when setting up the whole process.

8.3.6. Step 6: Test your OAuth Flow

The best way to test that your API now supports OAuth is to use Google’s OAuth playground:

You will need to set the redirect URL for the application you want to use to test this to the google OAuth Playground URL:

You can then fill in the settings as in the screenshot below:

Google OAuth Playground Settings

The authorization and token endpoint URLs are the URLs from your APIcast instance. In the scope, put the name of the application plan for the application (for example, “Default”).

Click on Authorize API, which will redirect you to your login URL. Then, log in to a user account on your application and authorize the application. Once that’s done, you’ll be redirected back to the Google OAuth Playground with an authorization code. Exchange this for an access token. You now have an access token to call protected endpoints on your API.

You can now make a request to your API, but replacing your API backend host name (in the example by the hostname of your APIcast instance and adding the access_token parameter. For example:

curl -X GET "http://YOUR_APICAST_HOST/read?access_token=YOUR_ACCESS_TOKEN"

Now you have your API integrated with 3scale.

Chapter 9. APIcast Self-Managed (Nginx downloadable configuration files)


The details of this section are for reference only. This option is no longer supported and you should consider migrating away from this configuration at the earliest opportunity.

This document refers to a version of APIcast which consists of Nginx downloadable configuration files. This version is only available to customers who created a 3scale account before May 2017. For details on how to deploy the latest version of APIcast, please see this guide.

This tutorial shows the necessary steps to deploy APIcast on your own server to have it ready to be used as a 3scale API gateway.

9.1. Prerequisites

You will need to configure APIcast in your 3scale Admin Portal as per Installing APIcast, if you haven’t done so already. Make sure Self-managed Gateway is selected as the deployment option in the integration settings. You should have both Staging and Production environment configured to proceed.

You should also have a server where you will deploy APIcast self-managed. This tutorial covers how to install your self-managed APIcast instance on a server running Red Hat Enterprise Linux – the operating system supported by the Red Hat 3scale API management platform. The server can be located either in the cloud, or on premise.

9.2. Step 1: Install OpenResty and dependencies

APIcast requires some external modules for NGINX. Even though it’s possible to compile NGINX with these modules from source, we strongly recommend using OpenResty – an excellent bundle that already includes all the necessary modules.

This guide covers the steps to set up the official pre-built packages that OpenResty provides for Red Hat Enterprise Linux (RHEL) version 7. The latest installation instructions can be found in the OpenResty documentation.

For other operating systems please refer to the OpenResty installation instructions.

First, add the openresty repository to your RHEL system by creating the file /etc/yum.repos.d/OpenResty.repo with the following content:

name=Official OpenResty Repository

Install OpenResty package:

sudo yum install openresty

If you want to use APIcast v2, you will also need to install the resty command-line utility with the following command:

sudo yum install openresty-resty

You can learn more about these and other OpenResty packages in OpenResty documentation.

9.3. Step 2: Deploy and run APIcast v1

9.3.1. Download the configuration files

To transform your NGINX (OpenResty) instance into a 3scale API gateway ready to use for your API, download your configuration files from your 3scale Admin Portal. You can find the link Download the NGINX Config files at the bottom of the Integration page for your API.

The downloaded archive will contain the following files (XXX will be a numeric ID):

  • nginx_XXX.conf is an NGINX configuration file. You can customize it to meet you production environment requirements: set the number of worker processes, configure logging, etc. (check NGINX documentation for more information).

    You will also need to:

    • Check that the correct port is specified in the listen directive in the server block and change if needed.
    • If you want to use HTTPS on your APIcast instance, make the necessary changes in your NGINX configuration file – you can refer to the NGINX documentation for more details.
    • By default the lua_code_cache directive is set to off, which is useful for testing purposes. When you are ready to run the configuration in production, make sure to change this to on to improve the performance.
  • The nginx_XXX.lua file contains the logic that you defined in your Admin Portal (authentication methods, mapping rules etc.) You can modify the file to add new features or handle custom requirements that are not supported by 3scale Admin Portal web interface.

You will need to copy all the .conf and .lua files to the OpenResty configuration directory. If you installed OpenResty using the instructions in Step 1, the default path will be /usr/local/openresty/nginx/conf/.

9.3.2. Run APIcast

After you have copied the files, you can start APIcast by running:

sudo openresty -c /usr/local/openresty/nginx/conf/nginx_XXX.conf

You can also run a syntax error test on the configuration file by running the previous command with the -t parameter.

You can control the running NGINX by executing the same command with the parameter -s:

sudo openresty -c /usr/local/openresty/nginx/conf/nginx_XXX.conf -s SIGNAL

where SIGNAL is one of the following:

  • stop - fast shutdown
  • quit – graceful shutdown (waits for the worker processes to finish serving current requests)
  • reload – reloads the workers using the updated configuration file

The logs by default will be in the /usr/local/openresty/nginx/logs directory. If you have any problems with the setup, you might want to check the error.log for details. You can also check out the link:Troubleshooting guide for solutions to some common issues.

You should now be running APIcast Self-Managed. If you plan to install APIcast on OpenShift, we recommend checking out this tutorial.

Legal Notice

Copyright © 2020 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.