WSO2 API Manager 4.6 is the latest release of one of the leading open-source API management platforms. Whether you are exposing an internal microservice to external partners or building a product API layer, APIM 4.6 provides the tooling to do it securely and at scale. This article walks through the essential steps to get your first API published and subscribed to.
Prerequisites
- WSO2 API Manager 4.6 installed (Docker image
wso2/wso2am:4.6.0works for local testing) - A backend service to proxy — a simple Express.js or PHP REST endpoint is sufficient
- A browser and Postman (or curl)
Step 1: Log in to the Publisher Portal
Navigate to https://localhost:9443/publisher and sign in with the default admin credentials. In production you should integrate with your Identity Server and disable the default admin account, but for a first API this is the fastest path.
Step 2: Create the API
Click Create API → REST API → Start from Scratch. Fill in:
- Name: StudentAPI
- Context: /student (the path prefix in the gateway URL)
- Version: 1.0
- Endpoint: the URL of your backend service
Under the API Definition tab, add your resources (GET /students, POST /students, etc.). You can import an OpenAPI 3 spec here to skip manual resource entry.
Step 3: Configure Security
APIM 4.6 defaults to OAuth 2.0 with JWT tokens. Under Runtime → Security, keep OAuth 2.0 enabled. For internal services that do not need user-level scopes, choose Application & Application User as the security level — this means a valid application access token is sufficient without a user login flow.
Step 4: Set Rate Limits
Apply a throttling policy under Policies → Rate Limiting. The built-in 10PerMin policy is a good starting point for a development API. In production, define custom policies that match your SLA commitments.
Step 5: Deploy and Publish
Click Deploy to push the API to the gateway node, then Publish to make it visible in the Developer Portal. Once published, developers can browse it at https://localhost:9443/devportal.
Step 6: Subscribe and Test
- Go to the Developer Portal, find your API, and click Subscribe.
- Create an application if you do not have one, generate a production token.
- Copy the token and test via curl:
curl -H "Authorization: Bearer <token>" https://localhost:8243/student/1.0/students
Key Improvements in APIM 4.6 vs Earlier Versions
- Improved AI-assisted API design in the Publisher Portal
- Native OpenAPI 3.1 support (3.0 was the previous ceiling)
- Better Kubernetes operator support for cloud-native deployments
- Enhanced monetisation and subscription plan management
Next Steps
Once your first API is running, explore mediation sequences (adding headers, transforming payloads) and the API Analytics dashboard to monitor traffic. Pinuno Academy's API Manager 4.6 course covers all of these topics in depth across a 12-week structured programme — see the course details.