In the API Manager, APIs are assigned one of three levels of authorization. To help you better understand what's going on, this document will explain each of the authorization levels. 


Level 1: Unauthenticated API

Unauthenticated APIs (or, in API Manager terms, "Public" APIs) can be accessed (viewed and called) without a subscription. Thus, users can use the API without authenticating at all. They do not need to log into the API Store, they do not need to create an application, they do not need to subscribe, and they do not need to generate keys.

Because the use of Unauthenticated APIs is always done anonymously, it is impossible to see who needs the API. Furthermore, it is impossible to throttle the API. Because of this, BYU highly discourages developers from publishing Unauthenticated (or "Public") APIs. 


Level 2: Subscription-Required API

Subscription-Required APIs are APIs which require the user to log in to the API Store and subscribe to the API. If users wish to access Subscription-Required APIs, they need to create an application, subscribe to the API, generate keys, and then call the API using the keys and token that they generated. Depending on which OAuth flow the API uses, users may need to also use other credentials, such as CAS user log-in credentials, to successfully call the API. Consult the API documentation for more specific instructions.


Level 3: Restricted API

Restricted APIs are APIs which are tagged "Restricted" in the API Manager. Restricted APIs function similarly to Subscription-Required APIs, in the sense that a user must be subscribed to the API to call it. However, Restricted APIs involve an extra layer of security: in order to subscribe to a restricted API, users must first be approved by the API business owner or the API technical owner. Requesting access to a restricted API follows the same process as subscribing to a subscription-required API: the user must go to the API page in the API Store, then push "Subscribe." After pushing "Subscribe," if the API is tagged "restricted," the user will receive an email notifying him that his subscription request has been sent to the business and tehcnical owners for approval. If the owners approve the request, the subscription will automatically go into effect; if they deny the request, the user will not be subscribed to the API. Users will be notified by email of the decision.


The Need for Elevated Access

Each of the Authorization Levels above pertain only to the authorization to call an API. The authorization to call an API is separate from the authorization to receive back data. Even if you have rights to call an API and are calling it in the correct way, there is no guarantee that any data will be returned. Many APIs have public and/or self-service use, which allow users to receive a few data elements without needing to have a data sharing agreement–but many others do not. To find out what level of elevated access is required to receive back data from a particular API, consult the API documentation. To learn how to get a data-sharing agreement, click here.