A custom domain is essential for effective branding, discoverability, and credibility of a website. Choreo allows you to easily configure custom domains for your organization, enabling developers to utilize it to configure custom URLs for their components such as API proxies, services, web applications, and webhooks.
+This section provides an overview of Choreo’s custom domain configuration model and guides you through configuring a custom domain for your organization. It also walks you through utilizing a custom domain to configure a custom URL for a component.
+Choreo allows organization administrators to add custom domains for their organizations. When an administrator adds custom domains to an organization, component developers can submit requests to utilize the custom domains for their respective components. These requests require approval from the organization administrator. Upon approval, the custom domain and the relevant URL customization become available to the component.
+Create an organization in Choreo.
+
To add a custom domain for your organization, follow the steps given below:
+Note
+To add a custom domain, you must have organization administrator privileges.
+In the Add a Custom Domain pane, do the following:
+Select the entity type to apply the domain name.
+Tip
+In this context:
+Take a look at the generated CNAME target value displayed and create a DNS record associating the domain name to the CNAME target value with your DNS provider.
+
Info
+When you select Developer Portal as the type, the environment is not applicable, and the CNAME alias will be displayed as follows:
+ 
Once the CNAME type DNS record is created, click Verify.
+Note
+If the CNAME mapping is correct, the verification completes successfully. It can take some time for the configured CNAME mapping to be globally available.
+On successful verification of the custom domain, click Next.
+Select a TLS certificate provider depending on your preference. You can either import the TLS certificates you created for the custom domain or click Let's Encrypt to allow Choreo to generate and manage the certificates for you.
+If you want to import your own certificate, it should adhere to specific guidelines
+apis.choreo.dev, the SSL file must include apis.choreo.com.apis.choreo.dev, the SSL file should use *.choreo.dev.To proceed with this step in this guide, click Let's Encrypt.
+To save the custom domain, click Add.
+Now, you have successfully added a custom domain for your organization.
+You can see the added custom domain listed in the Active Domains tab under the URL Settings tab.
+
The custom domain you added will be available to the entity types in the specified environment. You can request the custom domain when configuring a custom URL for a component.
+Note
+If you add a custom domain for the Developer Portal type, the customization is applied immediately, and you can access the organization’s Developer Portal via the added domain.
+If you want to view the entity types that use a particular custom domain, click the specific custom domain listed in the Active Domains tab under URL Settings.
+When an organization administrator adds custom domains for specific environments, developers can request any available custom domain to configure a custom URL for a component in a specific environment.
+To request a custom URL for your component, follow the steps given below:
+Note
+Before you request a custom domain for a specific environment, ensure that the component is deployed to that environment.
+Click the URL Settings tab. This displays the active deployments of the component across different environments and indicates whether a custom URL is configured. If an active custom domain is available to configure a custom URL for a component in a specific environment, the Edit URL Mapping icon in the corresponding Action column becomes enabled.
+
To configure a custom URL for a component in a specific environment, click the Edit URL Mapping icon under the Action column corresponding to the respective environment. This opens the URL Settings dialog, where you can specify values to request for a custom URL.
+
In the URL Settings dialog, select a domain to configure a custom URL.
+Tip
+Click Configure. This creates the custom URL mapping, which you can see under the URL Settings tab. The custom URL request will be in the Pending status until an organization administrator approves the request.
+
When a developer requests a custom URL, the request will be listed in the organization-level settings page under the URL Settings tab.
+To approve a custom URL mapping, follow the steps given below:
+Note
+To approve custom URL requests, you must have organization administrator privileges.
+Click the URL Settings tab and then click the Pending URL Requests tab. You will see all the pending URL mapping requests sent by developers.
+
Go to the custom URL you want to approve and click the corresponding Approve URL Mapping icon under the Action column.
+Once approved, the invoke URL of the component gets replaced with the configured custom URL.
+
Now you have successfully utilized the configured custom domain to set up a custom URL for a component.
+ + + + + + +Developers looking to experiment with a complete application development process that includes user authentication and authorization can utilize Choreo's built-in identity provider (IdP). Choreo's built-in identity provider allows you to seamlessly test your application's authentication by setting up test users and groups within Choreo.
+Note
+Although the built-in IdP facilitates user management support, it is limited to adding users with attributes and groups. Therefore, the built-in IdP user management capabilities are not recommended for use in production.
+Before you try out the steps in this guide, be sure you have administrator rights to your Choreo organization. This permission is essential to configure a user store with the built-in IdP.
+Follow the steps given below to configure a Choreo built-in IdP user store for an environment:
+username,password,groups,first_name,last_name,email
+"demouser","password1","[manager, engineering]","John","Doe","john@acme.org"
+Note
+The provided template file includes a sample user with associated attributes. To add new users, insert additional rows in the .csv file. To include more user attributes, add columns as required in the .csv file.
Asgardeo is an identity-as-a-service (IDaaS) solution designed to create seamless login experiences for your applications. Asgardeo seamlessly integrates with Choreo, providing powerful API access control through the use of API scopes. This enables restricting API access to designated user groups. By configuring Asgardeo as an external IdP in Choreo, you can leverage your Asgardeo user stores to manage API access control effectively. This guide walks you through the steps to set up Asgardeo as your external IdP.
+Before you proceed, be sure to complete the following:
+Create an Asgardeo application. You can follow the Asgardeo guide to register a standard-based application.
+Find the well-known URL: + Go to the info tab of the Asgardeo application to view the endpoints and copy the Discovery endpoint.
+Find the Client ID: + Go to the Protocol tab of the Asgardeo application and copy the Client ID.
+Follow the steps below to add Asgardeo as an external IdP in Choreo:
+Leave the Apply to all environments checkbox selected. This allows you to use the tokens generated via this IdP to invoke APIs across all environments.
+Note
+If you want to restrict the use of tokens generated via this IdP to invoke APIs in specific environments, clear the Apply to all environments checkbox and select the necessary environments from the Environments list.
+Click Next. This displays the server endpoints that are useful to implement and configure authentication for your application.
+Now you have configured Asgardeo as an external IdP in Choreo.
+ + + + + + +In organizations leveraging Microsoft Azure Active Directory (Azure AD) for identity and access management (IAM), integrating it with Choreo offers powerful API access control. This control hinges on the use of API scopes. That is, it enables the restriction of access to a designated group of users. This document guide you step-by-step to configure Azure AD as your external IdP.
+Before you try out this guide, be sure you have the following:
+Follow the steps below to add Azure AD as an IdP in Choreo:
+To obtain the Well-Known URL of your Azure AD instance, on your Azure account, under Azure Active Directory go to App registrations, and then Endpoints. Copy the URI underOpenID Connect metadata document.
Info
+Well-Known URL, omit the v2.0 path segment from the URL. Learn more
+For example, convert https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration-> https://login.microsoftonline.com/<tenant-id>/.well-known/openid-configurationLeave the Apply to all environments checkbox selected. However, if you want to restrict the use of the external IdP to a certain environment, you can select them from the Environments list.
+Choreo allows you to configure approval processes for specific workflows within the platform. An approval process for a workflow ensures that critical or sensitive changes are properly managed and controlled.
+Choreo currently allows you to configure approvals for environment promotion workflows, with support for API subscription approvals coming soon.
+To review and respond to approval requests, a user must have the following permissions. Administrators must ensure that users designated to review and respond to approval requests have these permissions:
+To set up an approval process for a workflow, follow these steps:
+Note
+In the Configure Workflow dialog that opens, select roles and assignees to review and respond to workflow approval requests.
+Important
+Currently, there is no validation to ensure that the specified roles and assignees have the necessary permissions to review and respond to requests. If the required permissions are not correctly configured, some users may receive email notifications but will be unable to review the requests.
+Click Save. This configures and enables the approval process for the workflow.
+Once you configure an approval process for a workflow, developers must submit a request for approval to use the workflow. An authorized assignee must then review and approve the request for a developer to proceed with the task related to the workflow. Depending on the workflow, there can be tasks where the execution may occur automatically upon approval.
+ + + + + + +With Choreo, you can configure enterprise login to allow users from an external identity provider (IdP) to sign in to Choreo seamlessly without changing their credentials.
+This guide walks you through the steps to configure enterprise login for your organization in Choreo.
+Before you proceed with the configuration, set up the following:
+To configure enterprise login for your Choreo organization, follow the steps given below:
+If you already have a support account with us, send us your organization name/handle and the email domains specific to your organization through our support portal.
+If you do not have a support account with us yet, send an email to choreo-help@wso2.com requesting to enable enterprise login for your organization.
Tip
+Ensure you include the following information in the request:
+Sample email
+Subject : [Stark Industries] Configure enterprise login
+Hi CS team,
+I need to configure enterprise login for my organization. Can you please do the necessary configurations to proceed?
+My organization details are as follows:
+Thank you.
+The Choreo support team will perform the necessary configurations and respond to you with a verification code. You must sign in to your domain host account and configure the DNS record for your email domain with the following values:
+| Field | +Value | +
|---|---|
| Name/Host/Alias | +Specify @ or leave it blank |
+
| Time to Live (TTL) | +Keep the default value or use 86400 |
+
| Value/Answer/Destination | +wso2-domain-verification:<verification_code> |
+
Now, you are ready to bring your own identity to Choreo.
+When you create an organization in Choreo, an organization with the same name is provisioned for you in Asgardeo. To bring your own identity to Choreo, you must configure a federated enterprise IdP on Asgardeo in the organization that is provisioned for you.
+Follow the steps given below to configure the federated IdP:
+Now, users in your enterprise IdP can sign in to the Choreo Console using their enterprise IDs.
+To streamline the enterprise login process and grant appropriate permission, Choreo provides the flexibility to configure role-based access control for users who reside in an external IdP.
+To set up role-based access control for enterprise login within Choreo, follow the steps given below:
+Before you proceed with the configuration, make sure you complete the following:
+Configure your IdP as an external IdP in Asgardeo. Depending on your IdP, you can select OpenID Connect or SAML as the protocol between Asgardeo and your IdP.
+Note
+If you are using OpenID Connect, configure the requested scopes accordingly for Asgardeo to get the relevant group/role details from the external IdP.
+To configure the application, follow the steps given below:
+Configure the IdP for login depending on the protocol you selected:
+Click the User Attributes tab.
+To add the user attributes as OpenID Connect scopes, follow the steps given below:
+Note
+Before you map Choreo groups to enterprise IdP groups, ensure you meet the following criteria:
+Click Manage IdP Group Mapping.
+ 
Click the edit icon corresponding to the Choreo group you want to map to the enterprise IdP group.
+In the IdP Group Name field, specify the exact name you configured in the enterprise IdP and enter to add it.
+Tip
+If there is a change to the IdP group mapping, it takes effect from the next login session onwards.
+Click Save.
+By following these steps, you have successfully configured role-based access control for enterprise login in Choreo, allowing users from the external IdP to have the appropriate permission.
+ + + + + + +With Choreo, you can set up a self-sign-up page for your Developer Portal. The self-sign-up page allows users to easily access your Developer Portal and subscribe to APIs. When you configure self-sign-up, users can create their accounts and access your Developer Portal without any manual intervention from you.
+This page walks you through the steps to configure self-sign-up for your Developer Portal.
+To configure self-sign-up, follow the steps given below:
+Send an email to choreo-help@wso2.com requesting to configure enterprise IdP for the Developer Portal of your organization.
+Tip
+Ensure you include the organization name or handle in the request.
+Sample email
+Subject : [Stark Industries] Configure enterprise IdP for Developer Portal
+Hi CS team,
+I need to configure enterprise IdP for my organization’s Developer Portal to enable self-sign-up. Can you please do the necessary configurations to proceed?
+My organization details are as follows:
+Thank you
+The Choreo support team will perform the necessary configurations and respond to your request.
+When you receive a response, sign in to Asgardeo using the same credentials that you used to sign in to Choreo.
+In the Asgardeo Console, click View all applications.
+
You will see an application named WSO2_LOGIN_FOR_CHOREO_DEV_PORTAL.
+
Click on the application to edit it and enter your organization’s Developer Portal URL as the Access URL of the application. For example, https://devportal.choreo.dev/starkindustries.
To add user attributes, follow these steps:
+Note
+If you have enabled enterprise login and you want to add the Groups attribute during self-sign-up configuration, avoid making it mandatory. This ensures proper access control and prevents unauthorized privileges. If you make the Groups attribute mandatory, it allows self-signed-up users to specify a group and assume roles associated with it.
+To add the email as a mandatory user attribute, select Email and click the arrow to expand the section. Then, select the Requested and Mandatory checkboxes.
+
To add the first name and last name as optional attributes, select Profile and click the arrow to expand the section. Then, select the Requested checkbox for the First Name and the Last Name attributes.
+
Click Update.
+To add the user attributes as OpenID Connect scopes, follow these steps:
+Click Save and then click Save Changes.
+
To configure basic authentication as the sign-in method, follow these steps:
+Click the Sign-in Method tab and then click Start with default configuration.
+
Click Update.
+To configure self-registration, follow these steps:
+Click Update.
+
Once you complete these steps, you will see a sign up link similar to the following in your Developer Portal:
+
Users can click LOGIN/SIGN UP and then click Create an account to sign up to access your Developer Portal.
+
To manage users who want to access your Developer Portal via self-sign-up, you have two possible approaches:
+To automatically approve each new user account registered on your Developer Portal, follow the steps given below:
+Once you enable auto-approval, users can sign in to your Developer Portal and view your APIs and applications immediately after creating an account.
+If you have not enabled auto-approval, you can manually approve or reject new user registrations. Once a user creates an account, Choreo sends an email to ask the user to confirm the account. To manually approve or reject user accounts, follow the steps given below:
+To approve a user account, click Approve. To reject an account, click Reject.
+If you reject an account, the user will receive an email mentioning that their account is rejected.
+Note
+A rejected user cannot sign up to your Developer Portal using the same account again.
+In the Choreo Console, you have the ability to manage access to projects and the actions that can be performed within them. Administrators have the capability to restrict project access to specific user groups. This feature is useful when you need certain user groups to have access to particular projects or for a set of projects.
+Choreo uses Roles, Groups, and a Mapping level to control access to the Choreo Console as follows:
+Group : Group is a collection of users. A user group requires a role or multiple roles to be assigned to it so that the users in those groups get the relevant permissions via the assigned roles. Learn more
+Mapping level : A mapping level defines the extent at which a role-group mapping can be done. Choreo has two defined resource levels.
+In Choreo, authorization operates by assigning a role to a group at a specified level. The level at which the role is assigned determines the extent of permissions granted to users.
+Important
+Avoid assigning multiple roles to a single user across different projects or levels (organization and project). Such assignments can grant users unintended permission to some projects, allowing them to perform tasks they shouldn't have access to. Therefore, it is recommended to assign only one role to a user across projects or levels to ensure proper access control.
+Info
+In Choreo, organization-level permissions take precedence over project-level permissions.
+To elaborate further, refer to the following diagram.
+The following diagram depicts a role-group assignment at a specific resource level. In the diagram, an admin user has assigned the Developer role to all members of the Engineering group within the Engineering Project. This grants users in the Engineering group the ability to perform all actions allowed by the Developer role within the Engineering Project.
+
Now that you understand the basic concepts of access control within the Choreo Console, let’s try out a sample scenario to manage access within a project.
+Assume you are overseeing the Engineering Project within your organization and you need to grant development access to specific users solely within this project. Here's a step-by-step guide on how to achieve this:
+Follow the steps given below to create a project:
+Enter a display name, unique name, and description for the project. You can enter the values given below:
+Info
+In the Name field, you must specify a name to uniquely identify your project in various contexts. The value is editable only at the time you create the project. You cannot change the name after you create the project.
+| Field | +Value | +
|---|---|
| Project Display Name | +Engineering Project |
+
| Name | +engineering-project |
+
| Project Description | +My sample project |
+
Click Create. This creates the project and takes you to the project home page.
+Follow the steps given below to create a group with the name Engineering Project Developer:
Enter a group name and group description. You can enter the values given below:
+| Field | +Value | +
|---|---|
| Group Name | +Engineering Project Developer |
+
| Group Description | +Users with development access within the engineering project |
+
Click Create.
+Follow the steps given below to assign the Developer role to the Engineering Project Developer group that you created:
+Click Add. This assigns the Developer role to the group. You should see the mapping level as Project (Engineering Project) as follows, indicating the scope of the mapping:
+
This means that you have granted developer access to users in the Engineering Project Developer group in the scope of the Engineering Project.
+Now that you have set up access control, you can proceed to add users to the new group.
+There are two approaches you can follow to add users to the group.
+Follow the steps given below to add a new user as a project developer:
+Follow the steps given below to add an existing user as a project developer:
+Tip
+Make sure to remove the user from any other groups to avoid granting organization-level access unintentionally.
+Note
+Now you have successfully set up access control within your project.
+ + + + + + +API subscription plans are essential to control and manage access to APIs. These plans define the rules and limitations on how clients can interact with APIs, ensuring efficient resource utilization and robust security. With the option to set rate limits and burst control, subscription plans allow API providers to manage traffic, prevent misuse, and offer tiered service levels. Organizations can implement subscription plans to provide varying levels of API access, accommodating different user needs and business models, while ensuring optimal performance and security.
+In Choreo, users with the administrator role can create, update, and delete subscription plans at the organization level.
+Tip
+Deleting a subscription plan is only possible if there are no active subscriptions associated with it.
+To create an organization-level subscription plan, follow the steps given below:
+In the Create Subscription Plan pane, enter the appropriate values for each field:
+Note
+
Click Create. This creates the subscription plan and lists it under Subscription Plans.
+After creating subscription plans, users with the API publisher role can assign subscription plans to APIs. API consumers can then choose the appropriate subscription plan during the subscription process depending on their requirements.
+ + + + + + +The Developer Portal allows API consumers to find and consume APIs with ease. You can change the look and feel of your Developer Portal by changing the theme to match your brand. Doing so will help you give a better developer experience to your users.
+To customize the Developer Portal theme, follow the steps given below:
+Note
+Sign in to the Choreo Console at https://console.choreo.dev/ using a Google/ GitHub/ Microsoft account.
+In the left pane, click Settings.
+In the header, click the Organization list. This will open the organization level settings page.
+In the API Management tab, click Devportal Theme.
+
Once you access the theme, you can customize the Home page, color theme, font, header and footer, logos, etc., by expanding the relevant sections.
+Make a change to the theme. For example, let's change the title on the Home page and the color theme.
+To update the title on the Home page, expand the Home Page section, and in the Title field, change the default text (for example, to Try our APIs!).
To update the color theme, expand the Color Palette section, and change the colors as required (for example, change the background color to #C3C5CD and the primary color of the buttons to #086634).
Click Preview to view a preview of the Developer Portal with the changes you made. Based on the changes given in the examples, the preview appears as follows.
+
Click Save to save your changes as a draft theme.
+To apply the changes to the Developer Portal, toggle the Go Live switch. To confirm that you want to go live with the changes, click Enable in the message that appears.
+Sign in to the Choreo Developer Portal at https://devportal.choreo.dev.
+The Home page will appear as it did in the preview.
+To reset the Developer Portal theme to the default theme, follow the steps given below:
+Sign in to the Choreo Console at https://console.choreo.dev/ using a Google, GitHub, or Microsoft account.
+In the left pane, click Settings.
+In the header, click the Organization list. This will open the organization level settings page.
+In the Organization tab, click Devportal Theme, and then click Reset to Default.
+An organization administrator can invite users to the organization by assigning them specific groups. Invited users receive an invitation via email. An invited user must accept the invitation to join the organization and access the resources of that organization.
+ + + + + + +An organization in Choreo is a logical grouping of users and user resources. A first-time user must create an organization and be a user of it when signing in to Choreo. Users and resources in an organization cannot access resources in another organization unless an admin of the other organization invites them and adds them as a user of that organization.
+An organization administrator can invite users to the organization by assigning them specific groups. Invited users receive an invitation via email. An invited user must accept the invitation to join the organization and access the resources of that organization.
+For details on how Choreo manages user permission, see Manage user permission.
+ + + + + + +In Choreo, administrators can configure approvals for workflows and assign specific users as approvers.
+If you are assigned as an authorized reviewer for a particular workflow approval request, you will receive an email notification when a request is submitted for approval. The email includes a summary of the request and a link to the Approvals page in the Choreo Console, where you can review the details and either approve or reject the request.
+Note
+Other approvers within your organization will also receive notifications for workflow requests and may review a request before you. If a request has already been reviewed, it will appear under the Past tab on the Approvals page.
+Approval requests are submitted on behalf of the team. Once approved, any authorized team member can execute the task. For certain tasks, execution may occur automatically upon approval.
+To view workflow approval requests assigned to you, follow these steps:
+To approve or reject a request, follow these steps:
+A set of rules enforcing OWASP security guidelines to prevent common vulnerabilities and ensure secure coding practices.
+Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.
+Basic authentication credentials transported over network are more susceptible to interception than other forms of authentication, and as they are not encrypted it means passwords and tokens are more easily leaked.
+API Keys are passed in headers, cookies, or query parameters to access APIs. Those keys can be eavesdropped, especially when they are passed in the URL, as logging or history tools will keep track of them and potentially expose them.
+URL parameters MUST NOT contain credentials such as API key, password, or secret.
+There are many HTTP authorization schemes but some of them are now considered insecure, such as negotiating authentication using specifications like NTLM or OAuth v1.
+JSON Web Tokens RFC7519 is a compact, URL-safe, means of representing claims to be transferred between two parties. JWT can be enclosed in encrypted or signed tokens like JWS and JWE.
+The JOSE IANA registry provides algorithms information.
+RFC8725 describes common pitfalls in the JWx specifications and in
+their implementations, such as:
+- the ability to ignore algorithms, eg. {"alg": "none"};
+- using insecure algorithms like RSASSA-PKCS1-v1_5 eg. {"alg": "RS256"}.
+An API using JWT should explicit in the description
+that the implementation conforms to RFC8725.
+
components:
+ securitySchemes:
+ JWTBearer:
+ type: http
+ scheme: bearer
+ bearerFormat: JWT
+ description: |-
+ A bearer token in the format of a JWS and conformato
+ to the specifications included in RFC8725.
+Using short-lived access tokens is a good practice, and when using OAuth 2 this is done by using refresh tokens. If a malicious actor is able to get hold of an access token then rotation means that token might not work by the time they try to use it, or it could at least reduce how long they are able to perform malicious requests.
+Define proper rate limiting to avoid attackers overloading the API. There are many ways to implement rate-limiting, but most of them involve using HTTP headers, and there are two popular ways to do that:
+IETF Draft HTTP RateLimit Headers:. https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers//
+Customer headers like X-Rate-Limit-Limit (Twitter: https://developer.twitter.com/en/docs/twitter-api/rate-limits or X-RateLimit-Limit (GitHub: https://docs.github.com/en/rest/overview/resources-in-the-rest-api)
+Define proper rate limiting to avoid attackers overloading the API. Part of that involves setting a Retry-After header so well meaning consumers are not polling and potentially exacerbating problems.
+Array size should be limited to mitigate resource exhaustion attacks. This can be done using maxItems. You should ensure that the subschema in items is constrained too.
String size should be limited to mitigate resource exhaustion attacks. This can be done using maxLength, enum or const.
Integers should be limited to mitigate resource exhaustion attacks. This can be done using minimum and maximum, which can with e.g.: avoiding negative numbers when positive are expected, or reducing unreasonable iterations like doing something 1000 times when 10 is expected.
Integers should be limited to mitigate resource exhaustion attacks. This can be done using minimum and maximum, which can with e.g.: avoiding negative numbers when positive are expected, or reducing unreasonable iterations like doing something 1000 times when 10 is expected.
Integers should be limited to mitigate resource exhaustion attacks. Specifying whether int32 or int64 is expected via format.
Setting up CORS headers will control which websites can make browser-based HTTP requests to your API, using either the wildcard "*" to allow any origin, or "null" to disable any origin. Alternatively you can use "Access-Control-Allow-Origin: https://example.com" to indicate that only requests originating from the specified domain (https://example.com) are allowed to access its resources.
+More about CORS here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.
+Server interactions must use the http protocol as it's inherently insecure and can lead to PII and other sensitive information being leaked through traffic sniffing or man-in-the-middle attacks. Use the https or wss schemes instead.
+Learn more about the importance of TLS (over SSL) here: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+Server interactions must not use the http:// as it's inherently insecure and can lead to PII and other sensitive information being leaked through traffic sniffing or man-in-the-middle attacks. Use https:// or wss:// protocols instead.
+Learn more about the importance of TLS (over SSL) here: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+Servers are required to use vendor extension x-internal set to true or false to explicitly explain the audience for the API, which will be picked up by most documentation tools.
+Make it clear which servers are expected to run as which environment to avoid unexpected problems, exposing test data to the public, or letting bad actors bypass security measures to get to production-like environments.
+By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with additionalProperties: false or add maxProperties.
By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with additionalProperties: false or add maxProperties
By default JSON Schema allows unevaluated properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with unevaluatedProperties: false or add maxProperties.
By default JSON Schema allows unevaluated properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with unevaluatedProperties: false or add maxProperties
OWASP API Security recommends defining schemas for all responses, even errors. A HTTP 429 response signals the API client is making too many requests, and will supply information about when to retry so that the client can back off calmly without everything breaking. Defining this response is important not just for documentation, but to empower contract testing to make sure the proper JSON structure is being returned instead of leaking implementation details in backtraces. It also ensures your API/framework/gateway actually has rate limiting set up.
+To avoid unexpected values being sent or leaked, strings should have a format, RegEx pattern, enum, or const.
Carefully define schemas for all the API responses, including either 400, 422 or 4XX responses which describe errors caused by invalid requests.
+OWASP API Security recommends defining schemas for all responses, even errors. The 401 describes what happens when a request is unauthorized, so its important to define this not just for documentation, but to empower contract testing to make sure the proper JSON structure is being returned instead of leaking implementation details in backtraces.
+OWASP API Security recommends defining schemas for all responses, even errors. The 500 describes what happens when a request fails with an internal server error, so its important to define this not just for documentation, but to empower contract testing to make sure the proper JSON structure is being returned instead of leaking implementation details in backtraces.
+Using external resources based on user input for webhooks, file fetching from URLs, custom SSO, URL previews, or redirects can lead to a wide variety of security issues.
+Learn more about Server Side Request Forgery https://owasp.org/API-Security/editions/2023/en/0xa7-server-side-request-forgery/.
+A guide detailing best practices for creating robust, scalable, and secure APIs, ensuring alignment with industry standards for optimal design.
+Paths must be kebab-case, with hyphens separating words.
Invalid Example
+userInfo must be separated with a hyphen.
Valid Example
+ + +Paths must not include json or xml file extensions.
Invalid Example
+The path contains a .json extension.
Valid Example
+ + +Verbs such as get, delete, and put must not be included in paths because this information is conveyed by the HTTP method.
Invalid Example
+The path contains the verb get.
Valid Example
+ + +Path parameters must be snake_case, with each word separated by an underscore character and the first letter of each word lowercase. Also, the path parameter must not contain digits.
Invalid Example
+The name property on line 9 (userId) must be separated by an underscore character and the I must be lowercase.
{
+ "paths": {
+ "/users/{userId}": {
+ "parameters": [
+ {
+ "schema": {
+ "type": "integer"
+ },
+ "name": "userId",
+ "in": "path"
+ }
+ ]
+ }
+ }
+ }
+Valid Example
+{
+ "paths": {
+ "/users/{userId}": {
+ "parameters": [
+ {
+ "schema": {
+ "type": "integer"
+ },
+ "name": "user_id",
+ "in": "path"
+ }
+ ]
+ }
+ }
+ }
+Query parameters must be snake_case, with each word separated by an underscore character and the first letter of each word lowercase. Also, the query parameter must not contain digits.
Invalid Example
+The name property on line 8 (user-Id) must be separated by an underscore character and the I must be lowercase.
{
+ "parameters": [
+ {
+ "schema": {
+ "type": "string"
+ },
+ "in": "query",
+ "name": "user-Id"
+ }
+ ]
+}
+Valid Example
+{
+ "parameters": [
+ {
+ "schema": {
+ "type": "string"
+ },
+ "in": "query",
+ "name": "user_id"
+ }
+ ]
+ }
+Resource names should generally be plural.
+Invalid Example
+ + +Valid Example
+ + +Paths should not contain special characters, such as $ & + , ; = ? and @%.
Invalid Example
+The path contains an ampersand.
+ + +Valid Example
+ + +Server must have /api
+A set of guidelines focused on enforcing uniformity in API style, including naming conventions, formatting, and documentation to ensure clarity and maintainability across all APIs.
+Operation IDs must not contain characters that are invalid for URLs.
+Invalid Example
+The operationId in this example includes a pipe and space, which are invalid for URLs.
Valid Example
+This operationId is valid for URLs.
Path parameter declarations must not be empty.
+Invalid Example
+/users/{}
Valid Example
+/users/{userId}
Paths must not end with a trailing slash.
+/users and /users/ are separate paths. It's considered bad practice for them to differ based only on a trailing slash. It's usually preferred to not have a trailing slash.
Invalid Example
+The users path ends with a slash.
Valid Example
+ + +Server URLs must be lowercase. This standard helps meet industry best practices.
+Invalid Example
+The url property uses uppercase letters.
Valid Example
+The url property is fully lowercase.
OpenAPI 2 host schemes reflect the transfer protocol of the API.
+Host schemes must be present and an array with one or more of these values:
+http, https, ws, or wss.
Valid Example
+This example shows that host schemes are http and https.
Schemas with type: array, require a sibling items field.
Recommended: Yes
+Good Example
+TheGoodModel:
+ type: object
+ properties:
+ favoriteColorSets:
+ type: array
+ items:
+ type: array
+ items: {}
+Bad Example
+TheBadModel:
+ type: object
+ properties:
+ favoriteColorSets:
+ type: array
+ items:
+ type: array
+The contact object should have a valid organization URL.
Valid Example
+ + +The contact object should have a valid email.
Valid Example
+ + +The info object should include a contact object.
Valid Example
+{
+ "info": {
+ ... ,
+ "contact": {
+ "name": "ACME Corporation",
+ "url": "https://acme.com",
+ "email": "support.contact@acme.com"
+ }
+ }
+}
+The info object should have a description object.
Valid Example
+ + +The info object should have a license object.
Valid Example
+{
+ "info": {
+ ... ,
+ "license": {
+ "name": "Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)",
+ "url": "https://creativecommons.org/licenses/by-sa/4.0/"
+ }
+ }
+}
+The license object should include a valid url.
Valid Example
+{
+ "license": {
+ "name": "Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)",
+ "url": "https://creativecommons.org/licenses/by-sa/4.0/"
+ }
+}
+Markdown descriptions should not contain eval() functions,
+which pose a security risk.
Invalid Example
+ + +Markdown descriptions should not contain script tags, which pose a security risk.
Invalid Example
+{
+ "info": {
+ ... ,
+ "description": "API for users. <script>alert(\"You are Hacked\");</script>"
+ }
+}
+Global tags specified at the root OpenAPI Document level should be in alphabetical order based on the name property.
Invalid Example
+ + +Valid Example
+ + +At least one global tag should be specified at the root OpenAPI Document level.
+Valid Example
+ + +Each operation should have a description.
+Valid Example
+ + +All operations should have an operationId.
Valid Example
+ + +At least one tag should be defined for each operation.
+Valid Example
+ + +The contact object should have an organization name.
Valid Example
+ + +Path keys should not end in forward slashes. This is a best practice for working with web tooling, such as mock servers, code generators, application frameworks, and more.
+Invalid Example
+ + +Valid Example
+ + +Paths should not include query string items. Instead, add them as parameters with in: query.
Invalid Example
+ + +Valid Example
+{
+ "parameters": [
+ {
+ "schema": {
+ "type": "string"
+ },
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "description": "User's ID"
+ }
+ ]
+}
+Tags defined at the global level should have a description.
+Valid Example
+ + +A server should be defined at the root document level. This can be localhost, a development server, or a production server.
+Valid OpenAPI V3 Example
+{
+ "servers": [
+ {
+ "url": "https://staging.myprodserver.com/v1",
+ "description": "Staging server"
+ },
+ {
+ "url": "https://myprodserver.com/v1",
+ "description": "Production server"
+ }
+ ]
+}
+Valid OpenAPI V2 Example
+ + +Server URLs should not end in forward slashes. This is a best practice for working with web tooling, such as mock servers, code generators, application frameworks, and more.
+Invalid Example
+ + +Valid Example
+ + +Server URLs must not direct to example.com. This helps ensure URLs +are valid before you distribute your API document.
+Invalid Example
+ + +Valid Example
+ + +All parameter objects should have a description.
Valid Example
+{
+ "parameters": [
+ {
+ "schema": {
+ "type": "integer"
+ },
+ ... ,
+ ... ,
+ "description": "The number of days to include in the response."
+ }
+ ]
+}
+The anyOf keyword is not supported in OAS2. Only allOf is supported.
Invalid Example
+{
+ "schema": {
+ "anyOf": [
+ {
+ "properties": {
+ "firstName": {
+ "type": "string"
+ },
+ "lastName": {
+ "type": "string"
+ }
+ }
+ },
+ {}
+ ]
+ }
+}
+Valid Example
+{
+ "schema": {
+ "type": "object",
+ "properties": {
+ "firstName": {
+ "type": "string"
+ },
+ "lastName": {
+ "type": "string"
+ }
+ }
+ }
+}
+The oneOf keyword is not supported in OAS2. Only allOf is supported.
Invalid Example
+{
+ "schema": {
+ "oneOf": [
+ {
+ "properties": {
+ "firstName": {
+ "type": "string"
+ },
+ "lastName": {
+ "type": "string"
+ }
+ }
+ },
+ {}
+ ]
+ }
+}
+Valid Example
+{
+ "schema": {
+ "type": "object",
+ "properties": {
+ "firstName": {
+ "type": "string"
+ },
+ "lastName": {
+ "type": "string"
+ }
+ }
+ }
+}
+The examples object should include a value or externalValue field, but cannot include both.
Invalid Example
+This example includes both a value field and an externalValue field.
{
+ "examples": {
+ "example-1": {
+ "value": {
+ "id": "string",
+ "name": "string"
+ },
+ "externalValue": {
+ "id": "string",
+ "name": "string"
+ }
+ }
+ }
+}
+Valid Example
+This example includes only a value field.
{
+ "examples": {
+ "example-1": {
+ "value": {
+ "id": "string",
+ "name": "string"
+ }
+ }
+ }
+}
+Path parameters should be defined on the path level instead of the operation level.
+Invalid Example
+The user_id path parameter on line 8 should not be included with the patch operation.
{
+ "patch": {
+ "parameters": [
+ {
+ "schema": {
+ "type": "integer"
+ },
+ "name": "user_id",
+ "in": "path"
+ }
+ ]
+ }
+}
+Valid Example
+The user-id path parameter is correctly located at the path level.
{
+ "paths": {
+ "/users/{userId}": {
+ "parameters": [
+ {
+ "schema": {
+ "type": "integer"
+ },
+ "name": "user_id",
+ "in": "path"
+ }
+ ]
+ }
+ }
+}
+Paths should not have query parameters in them. They should be defined separately in the OpenAPI.
+Invalid Example
+ + +Valid Example
+{
+ "parameters": [
+ {
+ "schema": {
+ "type": "string"
+ },
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "description": "User's ID"
+ }
+ ]
+}
+Operation should not have more than a single tag.
+API policies are units of business logic that you can apply to modify the flow of API invocations.
+You can apply a policy to alter the Request, Response, or Error flow of an API invocation before it reaches the backend or the client. For example, you can add a policy to the response flow to transform the payload from JSON to XML and add a header to the response.
Choreo supports a set of inbuilt mediation policies that can handle common API transformation and mediation tasks. These policies run within a single mediation service, making it straightforward to implement and manage complex mediation logic. The following inbuilt policies are available in Choreo:
+${headerName}.${fooValue}.${authzHeaderValue}.${authzHeaderValue}. ${myResourcePath}.Log Headers and Log Payload parameters. To exclude specific headers when logging, you can use the Excluded Headers parameter, which takes a comma-separated list of header names. An error will occur if payload logging is enabled but the payload cannot be read.These inbuilt mediation policies provide flexibility to manage API requests and responses, allowing for custom transformations and logic without requiring custom code.
+For details on attaching and managing one or more policies to an API proxy component implementation via the Choreo Console, see Attach and Manage Policies.
+For details on applying advanced settings on mediation policies, see Apply Advanced Settings on Mediation Policies.
+ + + + + + +Advanced settings for mediation policies are available for proxy components with an attached mediation policy. For details on attaching a mediation policy to a proxy component, see Attach and Manage Policies.
+The approach to applying advanced settings depends on whether the proxy component is deployed or not.
+| Setting | +Purpose | +How to apply | +Impact | +
|---|---|---|---|
| HTTP version | +By default, Choreo supports HTTP 1.1. If necessary, you can change to HTTP 1.0 or HTTP 2.0. | +Specify the required HTTP version in the Advanced Settings field.  |
+The mediation application will use the specified HTTP version when interacting with backend services. | +
| Hostname verification | +Choreo enables hostname verification by default when using mTLS. You can disable it if necessary. | +Set the verifyHostname parameter to false in the Advanced Settings field.  |
+Hostname verification will be skipped during mTLS interactions. | +
| Minimum evictable idle time | +Determines how long (in seconds) an outgoing connection remains idle before eviction. The default is 300 seconds. | +Set the required idle time in the Advanced Settings field.  |
+Idle connections will be closed and evicted after the defined period. | +
| Detailed access log | +By default, logs related to the mediation application are generated and can be viewed as runtime logs. You can disable these logs if necessary. | +Set the detailedAccessLog parameter in the Advanced Settings field.  |
+Logs related to the mediation application will not be generated. | +
To configure advanced settings for a proxy component with an attached mediation policy, follow these steps:
+You can easily attach one or more policies to an API proxy component implementation via the Choreo Console. If necessary, you can also rearrange or swap the policies you attach.
+In Choreo, when you attach a mediation policy to a proxy, the deployment is a two-step process.
+Deployment initiation:
+If the component to which you want to attach the mediation policy is new, the system creates and commits a new repository with the mediation service code based on the attached policy. This new service is called the mediation application.
+Deploying the API:
+Once the deployment initiation is complete, you can specify configuration values if any, and proceed to deploy. Choreo builds the generated mediation application and pushes the Docker image to the Docker registry. Finally, Choreo deploys the mediation application with the API Proxy.
+When a mediation policy is attached to a specific flow, the API invocation undergoes the following behavioral modification:
+
In the request path, the requests that pass through the gateway reach the relevant component, and Choreo executes any attached policies to the resource's request path before sending it to the backend.
+In the response path, the mediation component receives response messages from the backend, and Choreo executes any mediation policies attached to the Response flow or the Error flow. Then the response is forwarded to the client.
If an error occurs during the execution of policies or due to an internal error, Choreo executes the Error flow and sends an error response to the client.
To attach a policy to the Request, Response, or Error flow of a REST API proxy, follow the steps given below:
If the attached policy requires parameter configuration, on the policy pane enter the appropriate values and configure the parameters. To make a parameter a configurable variable, input the value in the ${<variableName>} format. For example, you can use ${name} as an example.
To attach the policy, click Add.
+After attaching an API Policy, it is necessary to deploy the API for the policy to become active within its corresponding flow. +To deploy the API follow the steps below:
+In the left navigation menu, click Deploy and then click Configure & Deploy. Choreo performs the mediation application generation step and opens the Configure & Deploy pane.
+In the Configure & Deploy pane, if you have any configurable variables that require values, specify appropriate values for them.
+
Click Save & Deploy.
+Choreo selectively generates and builds the mediation application code during component deployment depending on specific changes. These changes include:
+If none of the above changes occur during deployment, Choreo skips the code generation and build process of the mediation application.
+Info
+Choreo allows you to implement an API policy as a Ballerina project and attach it to an API proxy component.
+Info
+Supported Ballerina version: 2201.5.5
+To implement a policy, follow the steps given below:
+~/.ballerina/settings.toml file and ensure you have configured an access token to Ballerina Central. If you have not configured an access token, follow the steps given below to configure one: Settings.toml file and copy it to your local ~/.ballerina directory.Alternatively, you can set the access token via the BALLERINA_CENTRAL_ACCESS_TOKEN environment variable.
Choreo provides a template to initialize a mediation policy project with all the required configurations. The mediation policy project will be created as a Ballerina project.
+To create a Ballerina project for the mediation policy using mediation.template as the project template, issue the following command:
Format:
+ + +Example:
+ + The Ballerina project that is created should have the following content: +
Depending on your requirement, you can modify the Ballerina.toml and the Package.md files of the generated project. For example, you can update the org, package, package version, API documentation content, keywords, etc.
Note
+To successfully publish to Ballerina Central, make sure you update the org value to your organization name.
[package]
+ org = "starkindustries"
+ name = "validateHeader"
+ version = "1.0.0"
+ export = ["validateHeader"]
+ distribution = "2201.5.5"
+ keywords = ["choreo-apim-mediation-policy","choreo-apim-mediation-request-flow","choreo-apim-mediation-response-flow","choreo-apim-mediation-fault-flow"]
+In this step, you will implement the policy.
+Let's assume you want to implement a policy to validate an incoming header in the request and the response.
+403 Bad Request response to the client.To implement the policy, open the policy.bal file in the Ballerina project and update the generated policy stubs(i.e., request, response, or fault) appropriately.
The following sections walk you through sample implementations for the Request and Response stubs:
+The following is a sample implementation for the request flow:
+@mediation:RequestFlow
+public function validateRequestHeader(mediation:Context ctx, http:Request req, string headerName, string headerValue) returns http:Response|false|error|() {
+ string|http:HeaderNotFoundError header = req.getHeader(headerName);
+ if (header is http:HeaderNotFoundError) {
+ string message = string `Header ${headerName} is not found`;
+ log:printError(message);
+ return generateResponse(message, http:STATUS_BAD_REQUEST);
+ }
+ if (header != headerValue) {
+ string validationFailedMessage = string `Header validation failed. Expected ${headerValue} but found ${header}`;
+ log:printError(validationFailedMessage);
+ return generateResponse(validationFailedMessage, http:STATUS_BAD_REQUEST);
+ }
+ log:printInfo("Header validation successful");
+ return ();
+};
+
+function generateResponse(string message, int statusCode) returns http:Response {
+ http:Response response = new();
+ response.setTextPayload(message);
+ response.statusCode = statusCode;
+ return response;
+}
+The following is a sample implementation for the response flow:
+@mediation:ResponseFlow
+public function validateResponseHeader(mediation:Context ctx, http:Request req, http:Response res, string headerName, string headerValue) returns http:Response|false|error|() {
+ string|http:HeaderNotFoundError header = res.getHeader(headerName);
+ if (header is http:HeaderNotFoundError) {
+ string message = string `Header ${headerName} is not found`;
+ log:printError(message);
+ return ();
+ }
+ if (header != headerValue) {
+ string validationFailedMessage = string `Header validation failed. Expected ${headerValue} but found ${header}`;
+ log:printError(validationFailedMessage);
+ return ();
+ }
+ return ();
+}
+In this guide, you are not going to make any changes to the Fault flow. Therefore, you can remove the Fault flow stub from the policy.bal file.
Note
+The @mediation:RequestFlow, @mediation:ResponseFlow, and @mediation:FaultFlow annotations are bound with the keywords in the Ballerina.toml. Therefore, the changes you make to the policy stubs should reflect in the Ballerina.toml file. For example, if the policy is applicable only on the request and response paths, you can remove the @mediation:FaultFlow annotation from the policy. Then, you MUST also remove the choreo-apim-mediation-fault-flow keyword from the generated Ballerina.toml file. If you do not do so, the Ballerina compiler will show an error at compile time.
Choreo supports publishing a policy as a private custom policy. Publishing a policy as a private custom policy makes the policy inaccessible outside of the organization. To publish a policy as a private custom policy, change the visibility to private prior to pushing the package to Ballerina Central as follows:
Ballerina.toml file of your policy. Set the visibility to private by adding the configuration visibility="private". For example:
[package]
+ org = "orgName"
+ name = "packageName"
+ version = "1.0.2"
+ export = ["packageName"]
+ distribution = "2201.5.5"
+ keywords = ["choreo-apim-mediation-policy","choreo-apim-mediation-request-flow","choreo-apim-mediation-response-flow","choreo-apim-mediation-fault-flow"]
+ visibility = "private"
+Package and publish your policy to Ballerina Central.
+When implementing a policy, it is essential to follow best practices to ensure efficiency and maintainability. Here are some recommended best practices to follow:
+Request, Response, and Fault. You can remove any stub that you do not require. For example, when you create a policy that re-writes the resource paths, you can remove the Response and fault stubs. false if you want to terminate the mediation sequence with a predefined response (on the Choreo side).Once you implement a policy, you must publish it to Ballerina Central.
+When you attach a policy and deploy an API, Choreo pulls the necessary packages from Ballerina Central and bundles them into the mediation application under the hood. Therefore to use policies in your APIs, you must publish them as public packages.
+To publish the policy, follow the steps given below:
+To publish the package to Ballerina Central, issue the following command:
+ + +Once you publish the package, it will appear as follows in the policy list:
+
You can write unit tests to test policy functions in a manner similar to how you write unit tests for a regular Ballerina function.
+The following is a sample unit test for the validateRequestHeader function:
import ballerina/http;
+import choreo/mediation;
+import ballerina/test;
+
+
+@test:Config {}
+public function testRequestHeaderValidationFailure() {
+ http:Request req = new;
+ http:Response|false|error|() result = validateRequestHeader(createContext("get", "/test"), req, "testHeader", "test");
+
+
+ if !(result is http:Response) {
+ test:assertFail("Expected http:Response, found " + (typeof result).toString());
+ }
+
+
+ test:assertEquals(result.statusCode, http:STATUS_BAD_REQUEST, "Status code mismatch");
+}
+
+
+function createContext(string httpMethod, string resPath) returns mediation:Context {
+ mediation:ResourcePath originalPath = checkpanic mediation:createImmutableResourcePath(resPath);
+ mediation:Context originalCtx =
+ mediation:createImmutableMediationContext(httpMethod, originalPath.pathSegments(), {}, {});
+ mediation:ResourcePath mutableResPath = checkpanic mediation:createMutableResourcePath(resPath);
+ return mediation:createMutableMediationContext(originalCtx, mutableResPath.pathSegments(), {}, {});
+}
+The policy function modifies the same request/response/context instance that you pass to it. You can check the request/response/context instance after calling the policy function to verify changes.
+Here are some of the common terms used when working with policies in Choreo:
+The mediation context is used to pass parameters between policies. It is created per request and you can access it in any of the flows. For example, if a correlation ID needs to be set to the request, you can set it in the context of the request flow and access it in the response or fault flow.
+The mediation context can include the following functions:
+# Retrieves the value for the specified key.
+public function get(string name) returns anydata;
+
+
+# Stores the provided key-value pair. If a mapping exists for the key, the value is overwritten.
+public function put(string name, anydata value);
+
+
+# Removes the entry mapped by the specified key and returns the removed value.
+public function remove(string name) returns anydata;
+
+
+# Retrieves the value for the specified key. If there is no mapping for the key, return the specified
+public function getOrDefault(string name, anydata default) returns anydata;
+
+
+# Checks whether a mapping exists for the specified key.
+public function hasKey(string name) returns boolean;
+
+
+# Returns the `mediation:Context` instance which captured the initial contextual information of the resource,
+# before the mediation flow was invoked. Calling this on an original `mediation:Context` object will return itself.
+public function originalContext() returns Context;
+
+
+# The HTTP method of the resource method
+public function httpMethod() returns string;
+
+
+# Retrieves an instance of `mediation:ResourcePath` which is an API for contextual information on the resource path
+# of this resource. It also contains methods for modifying the resource path as the user sees fit. This resource
+# path is the same path used by the mediation service for deriving the backend endpoint's resource to invoke.
+# Therefore, the default behavior of the mediation service is to invoke a resource in the backend endpoint which
+# has the same relative resource path as the corresponding mediation service resource.
+public function resourcePath() returns ResourcePath;
+
+
+# Sets the given `mediation:ResourcePath` instance as the resource path of this context.
+public function setResourcePath(ResourcePath path);
+
+
+# Adds a mapping between a path param name and a resolved value for it. There need not be a path parameter in the
+# resource path by the name specified in `name` for one to use this method. On its own, the path param values have
+# no bearing on the resource path.
+public function addPathParamValue(string name, PathParamValue value);
+
+
+# Returns the collection of resolved values for the path parameters in this particular context, mapped
+# by the parameter name.
+public function resolvedPathParams() returns map<PathParamValue> & readonly;
+
+
+# Removes the resolved path parameter value which maps to the specified name.
+public function removePathParamValue(string name);
+
+
+# Adds a query parameter to the request to be sent to the backend. If there is already a query parameter by
+# with the same name, the new value will be appended to it, making it an array.
+public function addQueryParam(string name, string value);
+
+
+# Removes the specified query parameter from the request. If the value of the parameter is an array, the whole
+# array will be removed.
+public function removeQueryParam(string name);
+
+
+# Retrieves a map of all the query parameters in the current request context. The returned map is a read-only snapshot
+# of the map of query parameters in the context at the time this method was called.
+public function queryParams() returns map<string[]> & readonly;
+The Ballerina.toml file needs to include the following keywords for the mediation policies to work:
The Package.md file contains information about the policy. Choreo uses this information to render the policy configuring UI. This file is written in Markdown format and should be structured as follows.
Format:
+ + +Example:
+# ValidateHeader
+
+
+## Overview
+
+
+This policy validates the request and response headers with the configured values.
+When it comes to policy versioning in Choreo or mediation dependencies, it is important to consider the major version changes in the Ballerina language. For example, transitioning from update 1 to update 2 requires a major version increment, which can introduce significant incompatibilities.
+Therefore, to ensure compatibility, the recommended approach is to version the policy package in a manner that the major version gets upgraded when the Choreo/mediation dependency version is upgraded to a major version.
+ + + + + + +API rate limiting is a technique that allows you to control the rate of requests made to an API. Rate limiting helps +prevent system overload and enhances API performance. When you limit the number of requests that can be made in a +specific time frame, you can ensure that your API is available and responsive to all users while protecting it from +malicious attacks.
+This page walks you through the steps to enable rate limiting for your APIs via Choreo and also provides information on +the rate-limiting options supported by Choreo.
+To enable rate limiting for an API, follow the steps given below:
+Note
+You can apply rate-limiting settings separately for each environment.
+Go to the required environment card and click the view icon corresponding to the endpoint for which you want to apply rate limiting.
+Info
+If you are applying rate limiting for an API Proxy component, go to the required environment card, click the setting icon corresponding to API Configuration, and proceed to step 6.
+In the Endpoint Details pane that opens, click the settings icon.
+API-level rate limiting applies the allocated request count for the specified time unit to all operations in the API.
+Operation-level rate limiting allows you to configure different rate-limiting values for each operation. You can use this option to define specific rate-limiting values for critical API operations that require an extra layer of protection.
+The following table lists the response headers available when you enable rate limiting for your APIs. You can implement necessary rate-limiting scenarios depending on the response header values.
+| Header Name | +Description | +
|---|---|
x-ratelimit-limit |
+Denotes the request count allocated for the specified time unit. | +
x-ratelimit-reset |
+Provides the time remaining to start the next rate-limiting time unit. | +
x-ratelimit-remaining |
+Denotes the remaining request count for the specified time unit. | +
x-ratelimit-enforced |
+Visible after exceeding the allocated request count. | +
By default, the APIs published in Choreo are visible to anyone who visits the Choreo Developer Portal. By default, Choreo sets the visibility of the API to Public. However, developers can control the visibility of their APIs by changing the default option to Private or Restricted.
Visibility settings control users from viewing and modifying APIs. API visibility can be one of the following options:
+Public : The API is visible to all in the developer portal.
+Private : The API is visible to the users who only sign in to the Developer Portal.
+Restricted: The API is visible to only the user that has the roles that you specify. This option helps developers to enforce fine-grained access control to the API.
+Under General Details, select the required visibility setting from the Visibility list.
+Enable fine-grained role-based access control to the API
+Restricted from the API visibility list. Once selected, you will see the roles available in your organization in the Visible Roles list. Click Save.
+When an API consumer signs in to the Choreo Developer Portal to browse APIs, it is not sufficient to just have an API thumbnail along with the name and version of the API. An API consumer would expect to see more details about the API, such as the following:
+To provide such information that improves the overall visibility of the API, an API developer can add such documentation to an API before publishing it to the Developer Portal.
+To add documentation for an API, follow the steps given below.
+Sign in to the Choreo Console.
+In the Component Listing pane, click on the component for which you want to add documents.
+In the left navigation menu, click Manage and then click Documents.
+Specify a title for the document and provide the content in markdown syntax.
+Click Add to save the document.
+Depending on the information you need to add to the API, you can add one or more documents.
+You can also edit existing documents and delete documents if necessary.
+ + + + + + +API lifecycle management is an important aspect of API management. The API lifecycle consists of various states that an API passes through, from creation to retirement. In Choreo, there are six distinct lifecycle states: created, pre-released, published, blocked, deprecated, and retired.
+By leveraging the various lifecycle states, API managers can optimize the development process and ensure that subscribers have access to the latest and most reliable APIs.
+The following lifecycle states are applicable to APIs in Choreo:
+| API lifecycle state | +Use case | +Corresponding action | +
|---|---|---|
| CREATED | +The API is created but is not ready for consumption. | +The API is not visible to subscribers in the Developer Portal. | +
| PRE-RELEASED | +A prototype is created for early promotion and consumer testing. You can deploy a new API or a new version of an existing API as a prototype to provide subscribers with an early implementation of the API. | +The API is published to the Developer Portal as a pre-release. | +
| PUBLISHED | +The API is ready for subscribers to view and subscribe to via the Developer Portal | +The API is visible in the Developer Portal and is available for subscription. | +
| BLOCKED | +Access to the API is temporarily blocked. | +Runtime calls are blocked, and the API is not visible in the Developer Portal. | +
| DEPRECATED | +The old version of an API is moved to this state when a newer version of the API is PUBLISHED. | +The API is deployed and is available to existing subscribers. New subscriptions are disabled. Existing subscribers can continue to use it as usual until the API is retired. | +
| RETIRED | +The API is no longer in use when it is in this state. | +The API is unpublished and deleted from the Developer Portal. | +
To change the lifecycle state of an API via the Choreo Console, follow the instructions given below:
+Tip
+You must have publishing privileges to manage the lifecycle states of a component.
+API subscription plans allow API publishers to control and manage access to APIs. These plans define the rules and limitations on how clients can interact with APIs, ensuring efficient resource utilization and robust security.
+Choreo allows users with the administrator role to create, update, and delete subscription plans at the organization level. For instructions on creating subscription plans, see Create API Subscription Plans.
+Once created, Choreo allows API publishers to assign subscription plans to APIs, providing different levels of access based on user needs.
+To assign subscription plans to an API, follow the steps given below:
+Enable the Subscription Plan Status toggle corresponding to the subscription plans you want to assign to the API.
+
Click Save.
+When an API has subscription plans assigned to it, API consumers can select the plan that best fits their requirements during the subscription process. For details, see Subscribe to an API with a Subscription Plan
+ + + + + + +If an API has subscription plans assigned to it, API consumers can select the subscription plan that best fits their requirements at the time of subscribing to the API.
+To subscribe to an API with a subscription plan, follow the steps given below:
+Click Add Subscription.
+
To verify that the subscription plan works as expected, follow the steps given below:
+Invoke the API until you exceed the request limit set in the subscription plan. You will see that the API throttles further requests once the limit is reached.
+
Choreo allows you to make one or more endpoints accessible through its service and integration components. These endpoints are published as individual APIs in Choreo, accessible via the Choreo Developer Portal. By default, Choreo assigns an API name by combining the component name and the endpoint name, resulting in the following format: <component name>-<endpoint name>. For example, if you create a component named Ballerina Reading List, the API is displayed as Ballerina Reading List - GraphQL Reading List 591.
Choreo provides you with the flexibility to personalize the display name of the API, enhancing its user-friendliness and readability. Once you modify the API display name within the Choreo Console, Choreo applies the change immediately. From there onwards, Choreo displays the published API by this name in the Choreo Developer Portal.
+Follow the steps below to rename the API display name:
+Now, you can view the updated API display name in the Choreo Developer Portal.
+ + + + + + +Mutual transport layer security (mutual TLS) is a protocol that ensures privacy, integrity, and authentication of the data transmitted between two endpoints. In mutual TLS, the client and the server authenticate each other using digital certificates, establishing trust and verifying identities. Upon successful authentication, mutual TLS encrypts the data exchanged between the client and the server, preventing unauthorized access.
+In Choreo, you can use mutual TLS to establish secure connections between components within a project.
+Note
+If mutual TLS is not required, you can configure TLS instead. TLS provides a secure communication channel between a client and server but does not require the client to present a certificate to the server. This results in the absence of mutual authentication between the client and the server. While TLS ensures the confidentiality of data transmitted between the client and server, preventing unauthorized tampering, mutual TLS enhances TLS by introducing client-side authentication and facilitating mutual verification of identities between the client and server.
+To configure TLS, you can follow the same steps as for mutual TLS as mentioned below, without having to generate a client certificate. The client only needs the root certificate to verify the server's identity.
+Root certificate: Trusted by both the client and the server, this certificate is used to verify the authenticity of other certificates presented during the mutual TLS handshake process and to issue certificates for clients and servers. For a specific project, you can generate a single root certificate using a tool like OpenSSL.
+Client certificate: Contains the client’s identity for authentication. The common name (CN) in the certificate identifies the client. The generated client certificate must be signed by the root certificate.
+Server certificate: Clients use the server certificate to verify the trustworthiness of the server and establish a secure and authenticated connection. Similar to the client certificates, the server certificate must also be signed by the root certificate. When generating the server certificate, you must specify the server's hostname for the subject alternative name (SAN). You can obtain the hostname for the specific version of a service component from any project endpoint on the Overview page.
+For example, if your project endpoint is http://my-service-3781140846:7080/todos, the hostname will be my-service-3781140846.
The approach to read mutual TLS certificates from a component can vary depending on its implementation. Typically, a component can read the certificate data from the file system or via an environment variable. For detailed instructions on adding environment variables and file mounts to your application, see Manage Configurations and Secrets.
+Info
+When you specify a private key, ensure you save it as a secret.
+For a sample that demonstrates how you can deploy services that communicate using mutual TLS, see service-to-service-mtls.
+ + + + + + +There are scenarios where a backend service needs to apply specific logic or make decisions depending on the user consuming an API. In such scenarios, you must pass end-user attributes to the backend during an API call.
+Choreo provides a method to send user information to a backend service through a JSON Web Token (JWT) in an HTTP header of an API request.
+The backend JWT contains claims transferred between the parties, such as the user and the backend. A claim can be metadata of the request or data about the user. A set of claims is called a dialect, for example, http://wso2.org/claims.
For each API request, a digitally signed JWT is carried to the backend service in the following format to ensure that the authenticity of the claims list is verified:
+{token header}.{claims list}.{signature}
When a request goes through Choreo, the backend JWT is appended as the X-JWT-Assertion header in the outgoing message. The backend service fetches the JWT and retrieves the required information about the user, application, or token.
Claims are fragments of information included in the JWT.
+The following is a sample claim set added to the end-user token for an access token generated via the authorization code:
+Tip
+This access token is generated via Asgardeo using the authorization code grant type. Here, the Asgardeo application is configured to include the email claim in the token.
+{
+ "sub": "11f53c32-f8ac-4810-bb79-615b2184baf5",
+ "http://wso2.org/claims/apiname": "JWT Test - Endpoint 9090 803",
+ "http://wso2.org/claims/applicationtier": "Unlimited",
+ "http://wso2.org/claims/version": "1.0.0",
+ "http://wso2.org/claims/keytype": "PRODUCTION",
+ "iss": "wso2.org/products/am",
+ "http://wso2.org/claims/applicationname": "jwtTest2",
+ "http://wso2.org/claims/enduserTenantId": "0",
+ "http://wso2.org/claims/applicationUUId": "45101ccb-865f-4f48-b7ac-18e43b07edd3",
+ "client_id": "IMJB5ZiR1dHQYBdiMIRAGis1WToa",
+ "http://wso2.org/claims/subscriber": "5f4a7105-a889-4f92-9612-eef5bafe4eec",
+ "azp": "IMJB5ZiR1dHQYBdiMIRAGis1WToa",
+ "org_id": "b554e001-761c-4d3a-a7a6-a61d73d34221",
+ "http://wso2.org/claims/tier": "Unlimited",
+ "scope": "email openid profile",
+ "exp": 1690537362,
+ "http://wso2.org/claims/applicationid": "45101ccb-865f-4f48-b7ac-18e43b07edd3",
+ "http://wso2.org/claims/usertype": "Application_User",
+ "org_name": "test",
+ "iat": 1690533762,
+ "email": "testmail@gmail.com",
+ "jti": "69558555-d386-4a81-9ca0-0a23f809cd3c",
+ "http://wso2.org/claims/apicontext": "/b554e001-761c-4d3a-a7a6-a61d73d34221/swog/jwt-test/endpoint-9090-803/1.0.0"
+}
+The following table describes the information contained in the sample JWT claims set given above:
+| Claim Name | +Description | +Mandatory/Optional | +
|---|---|---|
iat |
+The time the token was issued. | +Mandatory | +
jti |
+The unique token identifier. | +Mandatory | +
exp |
+The token expiry time. | +Mandatory | +
iss |
+The issuer of the token. | +Mandatory | +
http://wso2.org/claims/apiname |
+The name of the API in Choreo. | +Optional | +
http://wso2.org/claims/version |
+The API version. | +Optional | +
http://wso2.org/claims/keytype |
+The environment in Choreo that the API is in (Development or production). |
+Optional | +
http://wso2.org/claims/apicontext |
+The API context in Choreo. | +Optional | +
http://wso2.org/claims/subscriber |
+The subscriber to the API, usually the app developer. | +Optional | +
http://wso2.org/claims/applicationname |
+The application through which the API invocation is done. | +Optional | +
http://wso2.org/claims/applicationid |
+The ID of the application through which the API invocation is done. | +Optional | +
http://wso2.org/claims/applicationUUId |
+The UUID of the application. | +Optional | +
client_id |
+The client identifier. This is copied from the original token. | +Optional | +
azp |
+The authorized party (the party to which the ID token was issued). This is copied from the original token. | +Optional | +
org_id |
+The organization ID. This is copied from the original token. | +Optional | +
org_name |
+The organization name. This is copied from the original token. | +Optional | +
http://wso2.org/claims/tier |
+The tier/price band for the subscription. | +Optional | +
scope |
+The scope of the token. This is copied from the original token. | +Optional | +
http://wso2.org/claims/usertype |
+The type of application user whose action invoked the API. | +Optional | +
email |
+The email address of the user. This is copied from the original token. | +Optional | +
Note
+The claims that get added to the end-user token can vary depending on the grant type used when generating the access token. For example, if you use the client-credentials grant type to generate the access token, the generated backend JWT would contain the following information:
+{
+ "http://wso2.org/claims/apiname": "DefaultAPI",
+ "http://wso2.org/claims/version": "1.0.0",
+ "http://wso2.org/claims/keytype": "PRODUCTION",
+ "iss": "wso2.org/products/am",
+ "http://wso2.org/claims/enduserTenantId": "0",
+ "exp": 1673245727,
+ "http://wso2.org/claims/usertype": "Application_User",
+ "iat": 1673242127,
+ "jti": "6e3f4392-8bd9-4900-9d08-eaab7429c510",
+ "http://wso2.org/claims/apicontext": "/9e71ab5e-6df5-4727-92d2-80ecf1a6218d/qbky/default/1.0.0"
+}
+To verify the authenticity of claims in a JWT, the claims must be validated using the public key corresponding to the private key used to sign the JWT.
+JSON web key set (JWKS) is a set of keys to validate a JWT. It contains a collection of JSON web keys, which are public keys used to verify the signature of a JWT.
+Typically, when a third party (such as an identity provider)issues a JWT and the recipient needs to verify its signature, they can use a JWKS. +JWKS allows the issuer to rotate keys dynamically rather than hard-coding the public key in the application. The recipient can obtain the public key by accessing the JWKS endpoint.
+Choreo provides an endpoint to specify the public keys for backend JWT validation. Here are the endpoint URLs for the US East and EU regions:
+Note
+For private data planes (PDPs), use the following JWKS endpoint URL template:
+https://<PDP_GATEWAY_DOMAIN>/.wellknown/jwks
Be sure to replace <PDP-GATEWAY-DOMAIN> with the default domain configured to access the PDP APIs.
The endpoint provides one or more signing keys to validate the JWT. +The JSON web keys have a kid identifier that can be matched with the same property on the JWT to decide which key to use when validating.
+The following is a sample JWKS response:
+{
+ "keys": [
+ {
+ "kty": "RSA",
+ "e": "AQAB",
+ "use": "sig",
+ "kid": "ZjcwNmI2ZDJmNWQ0M2I5YzZiYzJmZmM4YjMwMDFlOTA4MGE3ZWZjZTMzNjU3YWU1MzViYjZkOTkzZjYzOGYyNg",
+ "alg": "RS256",
+ "n": "8vjeHzRhvpfMystncPnLBWy_t5F3eCxbcLbdugWnzfnIgaV6TWnqPBUagJBKpzRZs4A9Qja_ZrSVJjYsbARzCS_qiWp0Cdwkqn6ZCXpmbpfjYnKORq8N8M-zWaSZYbNvWJ5oSO4kH-LKWzODaFebwTJBpsR1vChHH95doxFuUjiZaisVaQgUJ6drRdlDtImp9r9EAX36YROuYFPoEJcvsH4_uuAR6ClJ12RE3M-YN4NTi1waVNvGbz43oNrpPy7SXgpizingxSGMqI6WU2ysRmk_f9ALgiPIpFDpufiCTYaIcRT-YcUyp9nMDlTRskMuD-dQ1sdJOa11P_yMs-glfQ"
+ }
+ ]
+}
+The following table describes the information contained in the JWKS response:
+| Property | +Description | +
|---|---|
kty |
+The cryptographic family to which the key belongs. Choreo only supports RSA. |
+
e |
+The exponent value of the public key. | +
use |
+The purpose of the key. For example, whether it is for signing or encryption. | +
kid |
+The identification parameter to match a specific key. | +
alg |
+The algorithm to use with the key. | +
n |
+The modulus value of the public key. | +
To enable passing end-user attributes to the backend through API calls via Choreo, follow the steps given below:
+Go to the Set Up card and click Endpoint Configurations. This opens the Endpoint Configurations pane.
+Note
+If the component is an API Proxy, go to the Build Area card and click Security Settings. This opens the Security Settings pane.
+Select the Pass Security Context To Backend checkbox.
+Optionally, specify appropriate audience values in the End User Token Audiences field. Specifying values restricts the JWT to the respective audiences, enabling the backend service to validate and confirm the intended recipients, including itself.
+Note
+The backend JWT does not include the audience field (aud) by default.
+Click Apply.
+API security refers to the measures and practices used to protect Application Programming Interfaces (APIs) from potential threats and vulnerabilities. APIs are essential for enabling communication and data exchange between different software applications and services, making them a critical component in modern software development. However, their openness and accessibility can also make them targets for various security risks. Authentication and authorization are key aspects of API security. Authentication is ensuring that only authorized users or applications can access the API. This can involve using API keys, tokens, or more advanced authentication methods like OAuth 2.0. Authorization is controlling what authenticated users or applications are allowed to do within the API. Authorization mechanisms restrict access to specific resources and actions based on user roles or permissions.
+Organizations using Asgardeo for identity and access management (IAM) can seamlessly integrate it with Choreo as an external Identity Provider (IdP). This guide will walk you through setting up Choreo to authenticate API invocations through Asgardeo which is configured as an external IdP.
+This guide walks you through the following steps:
+To follow this guide, you need to satisfy the following prerequisites:
+You can provide fine-grained access control to your API resources with scopes. Follow the steps below to assign a scope to the resources in the API:
+Follow the Asgardeo API Authorization guide to create an application and an API in Asgardeo and to enable API authorization.
+Note
+JWT as the Access Token.Follow the steps below to consume the Choreo API and use an external IdP for authentication:
+Asgardeo.Click +Add.
+Note
+In the left navigation menu, click Subscriptions.
+Obtain an access token by invoking the token endpoint as follows:
+Note
+Once you receive the access token, you can test invoking the resource using the OpenAPI console in Choreo by specifying the scope.
+API security refers to the measures and practices used to protect Application Programming Interfaces (APIs) from potential threats and vulnerabilities. Authentication and authorization are key aspects of API security. Authentication is ensuring that only authorized users or applications can access the API. This can involve using API keys, tokens, or more advanced authentication methods like OAuth 2.0. Authorization is controlling what authenticated users or applications are allowed to do within the API. Authorization mechanisms restrict access to specific resources and actions based on user roles or permissions.
+Organizations using Microsoft Azure AD for identity and access management (IAM) can seamlessly integrate it with Choreo as an external Identity Provider (IdP). This guide will walk you through setting up Choreo to authenticate API invocations through Azure AD which is configured as an external IdP.
+This guide walks you through the following steps:
+To follow this guide, you need to satisfy the following prerequisites:
+Application Developer role is required. Learn moreYou can provide fine-grained access control to your API resources with scopes. Follow the steps below to assign a scope to the resources in the API:
+To enable external IdP authentication for APIs, create an API on Azure AD that represents the API on Choreo. Follow the steps below:
+For more information, refer to the Azure documentation:
+You can restrict users to the API as follows:
+For more information, refer to the Azure documentation: Assign the app to users and groups to restrict access
+To expose the API to application developers, create an application in Azure AD. This application provides you with a client-id and client-secret that your application needs to use to invoke the API.
+Follow the steps below to create the application:
+Configure the platform settings. Enter your client application's redirect URI in the process.
+Note
+OAuth2 Authorization Grant flow applies to Web Applications.
+Once you create the application, select the API and the scopes you want the application to consume. Follow the steps below:
+For more information, refer to the Azure documentation: Add permissions to access your web API
+To invoke the application, provide client secrets to the consuming application. Follow the steps below to generate the credentials:
+Secret ID and Value for future reference. Application (client) ID and save it for future reference.For more information, refer to the Azure documentation: Add a Client Secret
+Follow the steps below to consume the Choreo API and use an external IdP for authentication:
+Application (client) ID you copied in at Step 3.2 as the Client ID.Click +Add.
+Note
+In the left navigation menu, click Subscriptions.
+You can now invoke the Choreo API using the authorization code grant. Choreo will authenticate the user with Azure AD and provide access to the resource.
+Invoke the authorization endpoint as follows:
+curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
+{token_endpoint} \
+-d 'client_id={client_id}' \
+-d 'scope={scopes}' \
+-d 'code={authorization_code}' \
+-d 'redirect_uri={redirect_url}' \
+-d 'client_secret={The client_secret value you copied from the Azure Application}'
+-d 'grant_type=authorization_code' \
+curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
+https://login.microsoftonline.com/dd912d48-b0be-401f-b18c-8ca89e9c0b6c/oauth2/v2.0/token \
+-d 'client_id=5eb1de74-e449-4973-a620-52c4dc9157a9' \
+-d 'scope=api://580b40b7-5513-4714-a4e0-8d4e784f7dc6/urn:taylordean:books:books_add' \
+-d 'code=0.AXAASC…zZUzKYm18yM_5-SXz1uvRbbGYF7F32hE9zIQFRQY35haD' \
+-d 'redirect_uri=https://localhost:9000' \
+-d 'grant_type=authorization_code' \
+-d 'state=111' \
+-d 'client_secret=l4Q8Q~4WKiRXYSQZly5E6Ess.fKf__U1yJR3IaMd'
+Once you receive the access token, you can test invoking the resource using the OpenAPI console in Choreo by specifying the scope.
+To establish secure communication between the Choreo Gateway and your backend, you can configure mutual TLS.
+Mutual TLS authentication involves both the client and server validating each other’s certificates before establishing a connection. The following diagram depicts this scenario:
+
To establish secure connectivity between the Choreo Gateway and your backend using mutual TLS, you must add the certificate of the backend (server certificate) to Choreo and add the certificate of Choreo (client certificate) as a trusted certificate in the backend.
+.pem extension.To configure the backend certificate, follow the steps given below:
+There are two approaches you can take to configure mutual TLS.
+Follow the step-by-step instructions below depending on how you want to establish mutual TLS with the backend service:
+When you follow these steps, Choreo generates a key pair with a self-signed certificate. You can attach this key pair to any API proxy created within the same project.
+In the Add Client Certificate Pair dialog, select Generate new key pair and specify a value as the common name for the certificate pair. This value will be used to identify the certificate.
+
Optionally, click Show advanced options to expand the section and specify appropriate values for each of the fields.
+Click the more options icon corresponding to the certificate and then click View and Download.
+
This opens the certificate for you to view and download.
+
To download the certificate in PEM format, click Download. You can add this certificate as a trusted certificate in the API backend server.
+Now you can associate the certificate with the API and deploy the API.
+Here, you can use your own public certificate and private certificate as client certificates.
+In the Add Client Certificate Pair dialog, select Use my own key pair.
+
Upload the private key and public certificate in PEM format or copy and paste the content of the private key and public certificate.
+Click the more options icon corresponding to the certificate and then click View and Download.
+
This opens the certificate for you to view and download.
+
To download the certificate in PEM format, click Download. You can add this certificate as a trusted certificate in the API backend server.
+Now you can associate the certificate with the API and deploy the API.
+To associate a certificate with the API, follow the steps given below:
+Select the certificate you want to associate with the API.
+
Click Save.
+To deploy the API, follow the steps given below:
+Once the deployment is complete, you can test the API.
+If the API backend changes depending on the environment, the respective certificate must be updated for each environment.
+Here, let's take a look at the steps to update the certificate for the production environment:
+The managed authentication capability of Choreo simplifies adding authentication and authorization to a single-page web application.
+As a developer, you can easily set up Choreo's managed authentication to seamlessly integrate authentication into your web application. You just need to enable Choreo’s managed authentication, configure the built-in identity provider, and connect to Choreo without having to deal with the complexities of underlying OIDC/OAuth2.0 protocols.
+Choreo's managed authentication follows the backend for frontend (BFF) architecture, which is a secure pattern recommended for browser-based applications that utilize OIDC/OAuth2.0 for authentication and authorization. This architecture ensures that OAuth tokens remain secure from browser-side code, making them immune to potential attacks like cross-site scripting (XSS).
+Note
+Choreo's managed authentication is currently available only for web applications created with React, Angular, or Vue.js buildpacks.
+Warning
+Managed authentication uses the 'SAMESITE' cookie attribute to prevent CSRF attacks. Therefore, it is recommended to use managed authentication with modern browsers that support the 'SAMESITE' attribute.
+To secure your web application, you must implement authentication and authorization for it.
+To easily set up authentication for your web application with Choreo's managed authentication, follow the steps given below. Before you move on to the next section, see Develop Web Applications Locally with Choreo’s Managed Authentication to ensure a seamless authentication experience when developing your web application on your local machine. You can also refer to the sample React app with managed authentication.
+To allow Choreo to manage the sign-in functionality for your web application, you must implement a sign-in button that redirects users to the /auth/login path on click. You can use the following code snippet or any custom button component from a preferred UI component library:
This code snippet works as follows:
+When a user clicks sign in on your web application, Choreo will redirect the user to the configured identity provider and handle the authentication process, conforming to the OICD/OAuth2.0 protocols. On successful sign-in, Choreo will set the relevant session cookies and redirect the user to the post-sign-in path (default is /). The user can then invoke any Choreo-deployed APIs depending on the permission granted.
Note
+Refer to configure the identity provider section for details on configuring an identity provider for the web application.
+If you want to pass additional query parameters to the identity provider, include them in the /auth/login request. Choreo appends these parameters to the authorize request sent to the identity provider.
For example,
+ + +Choreo's managed authentication allows you to access user information claims that the identity provider returns post-sign-in, either via a cookie or by invoking a GET resource.
+userinfo cookieUpon successful sign-in, Choreo's managed authentication establishes a userinfo cookie that is accessible from the post-sign-in path you configured (by default, set to /). This userinfo cookie, provided by the identity provider, contains encoded user information claims.
Note
+userinfo cookie is intentionally set to have a short lifespan of only 2 minutes.js-cookie library for cookie parsing. You can use any cookie-parsing library of your choice. The recommended approach is to retrieve user information from the cookie and subsequently clear the cookie. The following is a sample code snippet that you can include in your post-sign-in path to retrieve user information from the cookie and subsequently clear the cookie:
+ import Cookies from 'js-cookie';
+
+ // Read userinfo cookie value.
+ const encodedUserInfo = Cookies.get('userinfo')
+
+ // Decode the value.
+ const userInfo = JSON.parse(atob(encodedUserInfo))
+
+ // Store the value in a preferred browser-based storage if needed.
+
+ // Clear the cookie.
+ Cookies.remove('userinfo', { path: <post-login-path> })
+Choreo's managed authentication provides the GET endpoint /auth/userinfo in addition to the userinfo cookie that it sets after successful sign-in. You can use this endpoint to query information about users who have signed in. It also serves as a mechanism to check the state of a user who has signed in.
The following is an example of a request to this endpoint:
+ + +If a user has signed in, the server sends a 200 OK response with the user information in JSON format in the response body. However, if the user is not signed in, the server sends a 401 Unauthorized response.
To allow Choreo to manage the sign-out functionality of your web application, you can implement a sign-out button to redirect users to the /auth/logout path along with the session_hint cookie value on click. You can use the following code snippet or any custom button component from a preferred UI component library:
Note
+js-cookie library for cookie parsing. You can use any cookie-parsing library of your choice. <button onClick={async () => {
+ window.location.href = `/auth/logout?session_hint=${Cookies.get('session_hint')}`;
+}}>Logout</button>`
+When a user clicks the sign-out button, Choreo will clear the session cookies and redirect the users to the OIDC logout endpoint of the configured identity provider (if available).
+To invoke Choreo APIs within the same organization as your web application, you can use the relative path /choreo-apis/<api-suffix>, regardless of whether managed authentication is enabled for the web application or not.
Note
+To invoke a Choreo API from a web application, you need to create a Connection from the web application to the Choreo API.
+For example, if the API URL is https://2d9ec1f6-2f04-4127-974f-0a3b20e97af5-dev.e1-us-east-azure.choreoapis.dev/rbln/item-service/api-e04/1.0.0, the <api-suffix> would be /rbln/item-service/api-e04/1.0.0. You can invoke the API using the /choreo-apis/rbln/item-service/api-e04/1.0.0 relative path from your single-page application.
Info
+To copy the exact service URL of a Connection, you can follow the steps given below: + 1. In the Choreo Console, go to the appropriate web application component. + 2. In the left navigation menu, click Connections under Dependencies. + 3. Click on the required Connection and copy the service URL.
+If you enable Choreo's managed authentication, you don't have to manually add any logic to attach an access token to the API call because Choreo APIs accept the cookies set by Choreo's managed authentication. You can directly invoke the API as follows:
+ + +If Choreo's managed authentication is disabled, you must ensure that your web application attaches a valid access token to the API call.
+When a user session exceeds the configured session expiry time, it automatically expires. A 401 Unauthorized response status code for a Choreo API request from a logged-in user indicates that the session may have expired, requiring the user to re-login.
To programmatically handle session expiry and automatically re-login upon receiving a 401 Unauthorized response from a Choreo API, you can encapsulate the request with re-login logic. The following sample code snippet shows how to wrap GET requests:
export const performGet = async (url) => {
+ try {
+ // API call
+ return await fetch('/choreo-apis/<api-suffix>');
+ } catch (error) {
+ if (error instanceof HttpError && error.status === 401) {
+ // Re-login
+ window.location.href = "/auth/login";
+ } else {
+ throw error;
+ }
+ }
+ };
+You can set up Choreo's managed authentication to redirect to a customized error page within your web application by defining the error path in the configuration. In the event of an error during a redirection-based process, such as sign in or sign out, Choreo will automatically redirect the user to the designated custom error page.
+Note
+If you have not configured an error path, Choreo's managed authentication will use its default error page whenever an error occurs.
+Choreo's managed authentication will include the following query parameters in the URL when redirecting to the custom error page:
+| Parameter | +Description | +
|---|---|
| code | +A short textual error code indicating the error | +
| message | +The description of the error | +
Now have successfully implemented Choreo's managed authentication for your web application. The next step is to enable managed authentication for the component, and subsequently deploy it.
+To ensure that your web application functions seamlessly with managed authentication, it is essential to enable managed authentication for your web application component within Choreo.
+You can enable managed authentication for your web application component at the time you deploy the component.
+Tip
+Managed authentication is enabled by default when you create a web application using React, Angular, or Vue.js buildpacks.
+Specify appropriate values for the following fields:
+| Field | +Description | +Default value | +
|---|---|---|
| Post Login Path | +The relative path that the application will be redirected to on successful sign-in. In your code, you must implement the necessary logic to obtain signed-in user's information from the userinfo cookie set by managed authentication. See Obtain user information via the userinfo cookie section in Obtain user information claims. |
+/ | +
| Post Logout Path | +The relative path to which Choreo redirects you on successful sign-out. | +/ | +
| Error Path | +The relative path to which Choreo redirects you when an error occurs during a redirection-based flow (i.e., sign in or sign out). See Set up a custom error page. | +Built-in error page | +
| Session Expiry Time | +The time in minutes after which the user session expires. For a seamless experience, the session expiry value should match the refresh token expiry time of the OIDC application in your identity provider. | +10080 Minutes (7 Days) | +
| Additional Scopes | +All additional scopes required by the web application. The openid, profile, and email scopes are added by default together with the scopes required to invoke subscribed APIs. |
+none | +
Note
+If you need to change these configurations after you deploy the component, you can click Authentication Settings on the Set Up card, make the necessary changes, and deploy the component once again.
+You can configure your web application to work with the Choreo built-in identity provider, Asgardeo, or any external identity provider which supports OIDC/OAuth2.0 .
+Note
+The identity provider configured in this step should contain the users for the web application.
+Click the respective tab for details depending on which identity provider you need to configure:
+Follow the steps given below to configure the built-in identity provider by generating authentication keys:
+Note
+Choreo built-in identity provider is configured by default. Therefore, this step is optional.
+Click Generate Secret.
+Note
+If the Regenerate Secret button is shown instead of the Generate Secret button, it indicates that OAuth keys are already generated for the component for the selected environment.
+Tip
+Refer to Configure a User Store with the Built-In Identity Provider for details on adding test users in Choreo built-in identity provider.
+Tip
+If you need to invoke APIs secured with role-based access control, you can test this within Choreo by creating roles for the application and mapping those roles to relevant permissions (scope) and user groups. For more information, see create roles and assign permissions and assign roles to user groups sections in Test Secure API Access with Choreo Built-In Security Token Service.
+Step 3.1: Create and configure an OIDC/OAuth2.0 application in Asgardeo
+Click the Protocol tab and follow these steps:
+Code and Refresh Token as the Allowed grant types.JWT as the Token type.Click Update.
+Tip
+If you need to invoke APIs secured with role-based access control, you must create roles in the application and map those roles to relevant permissions (scope). Then those roles should be assigned to user groups. For more information, see the Asgardeo API authorization guide.
+Copy the Client ID and Client Secret of the application. You will need to use these values in the next step to link the OIDC/OAuth2.0 application to your Choreo component.
+Step 3.2: Link the OIDC/OAuth2.0 application to the Choreo web application component
+Step 3.1: Create and configure an OIDC/OAuth2.0 application in the external identity provider
+Configure the OIDC/OAuth2.0 application as follows:
+Code and Refresh Token as allowed grant types.Specify the access token type as JWT.
+Tip
+If you want to invoke APIs secured with role-based access control, you must ensure that users are assigned a role mapping that grants the necessary permission for API invocation. The approach of mapping application roles to users can vary depending on the identity provider.
+Step 3.2: Link the OIDC/OAuth2.0 application to the Choreo component
+API security can protect APIs from potential threats and vulnerabilities, with authentication and authorization playing key roles. Authentication ensures that only authorized users or applications can access the API. This involves using API keys, tokens, or more advanced authentication methods like OAuth 2.0. Authorization governs the actions permitted for authenticated users or applications within the API. Authorization mechanisms restrict access to specific resources and actions based on user roles or permissions.
+Choreo simplifies security testing for developers, allowing them to easily test APIs with permissions in non-critical environments. With its integrated security token service, Choreo provides authorization features that generate scopes based on the correlation between scopes, roles, and user groups. Developers can create roles, assign permissions, and set up user-group mappings using Choreo's built-in identity provider (IdP).
+This guide walks you through the following steps to test the invocation of secured APIs with permissions using Choreo's built-in authorization capability:
+Before you try out this guide, ensure you have set up the following:
+You can provide fine-grained access control to your API resources with permissions. Follow the steps below to assign permissions to the resources in the API:
+To apply the latest permissions to the deployed component, you must redeploy it. Follow the steps below to redeploy:
+To publish your API to the Choreo Developer Portal, follow the steps given below:
+The permissions assigned to your API need to be associated with roles. Follow the steps below to create roles and assign permissions to the roles.
+Select the permissions you want to assign to the role, and then click Create.
+Tip
The permissions(scopes) defined for APIs exposed via components in the project and the permissions(scopes) required by connections created for components in the project are listed here.
+ +You must assign roles to the user groups defined in your Choreo built-in IdP to ensure that authenticated users can obtain access tokens with the required permissions.
+Click the Application Security tab and then click Role Management.
+Tip
The roles defined within different projects in the organization are listed here.
+ +Click Map Groups corresponding to a role that you want to assign to a group.
+To test an API invocation, you must first create a connection to your API. To do this, you must have a web application created. You can use the web application you created while setting up the prerequisites.
+To create a connection to the web application, follow the steps given below:
+Now you can proceed to deploy the web application.
+When deploying, if your web application is a single-page application (SPA), you have the option to allow Choreo to handle authentication on behalf of the application. This approach eliminates the need to incorporate OAuth protocol-specific logic into your application.
+If managed authentication is enabled for your web application, Choreo automatically handles obtaining the necessary permission for API invocation. This occurs during the request for access tokens, allowing you to seamlessly invoke the subscribed APIs through your web application without additional intervention.
+Note
+If you change the permissions of an existing connection or create a new connection with permissions, you must redeploy your web application to ensure proper API invocation with managed authentication.
+If your application manages authentication independently, follow the steps below to generate the necessary OAuth credentials to obtain access tokens:
+code and refresh grant types are selected. This is required to obtain access tokens with an authorization code grant.The Choreo Command Line Interface (CLI) is a command-line tool that helps you easily work with Choreo using commands. By utilizing commands, it significantly improves the development experience for Choreo users. This versatile tool simplifies different stages of the development process, making interactions more efficient and user-friendly.
+Choreo serves as a comprehensive internal platform-as-a-service. The Choreo CLI serves as a pivotal tool aimed at enhancing its capabilities. With the Choreo CLI, you can leverage the following benefits:
+Streamline Deployment Processes: Choreo CLI simplifies the entire process from creating a component in Choreo, building it, to deploying, testing, and monitoring independent of the language and framework used to implement the component.
+Versatile workflow across frameworks: Regardless of your chosen framework, Choreo CLI offers a uniform end-to-end process. Choreo seamlessly integrates with different web application types (SPA, SSR, SSG, or simple static files), services (REST, GraphQL, gRPC), scheduled jobs, manual triggers, API proxies, and more. This versatility enables you to orchestrate a wide range of cloud-native components seamlessly.
+Create and Manage Resources: Simplify project and component management. You can easily initiate and organize projects in Choreo through simple commands.
+Create Builds and Deployments: Simplifies the process of creating builds and deploying components. You can build and promote components to environments easily with simple commands, ensuring a seamless transition from development to deployment.
+Note
+The Choreo CLI currently supports the following component types:
+Monitor with Logs : The integrated log functionality in the Choreo CLI allows you to effectively monitor your components. You can access valuable insights into your components behavior and performance directly from the command line.
+For troubleshooting tips and answers to frequently asked questions, see the Choreo CLI FAQ.
+ + + + + + +This guide walks you through the following sample use case:
+This guide utilized a simple to-do app built with Next.js and two basic environments: Development and Production.
+Follow the steps below to install the CLI:
+Install the Choreo CLI by running the command specific to your operating system:
+For Linux and Mac OS +
+For Windows (via PowerShell) +
+Verify the installation by running the following command:
+ + +Run the following command to login to Choreo:
+ + +Follow the instructions on the console to open the link in the browser and login to Choreo.
+A project in Choreo is a logical group of related components that typically represent a single cloud-native application. A project consists of one or more components.
+Create a multi-repository project named ‘web-app-project’ by running the following command:
+ + +In Choreo, a component within your project represents a singular unit of work in a cloud-native application. It can be a microservice, API, web application, or job/task. Each component is associated with a directory path in a Git repository containing the source code for the program.
+Note
The Choreo CLI currently supports the following component types:
+Fork the repository https://github.com/wso2/choreo-sample-todo-list-app. This contains a sample web application that you can use for this guide.
+To initiate the creation of a Web Application component within your project, use the following command: +This triggers a wizard prompting you to provide details for your Git repository and other configurations for your component.
+ + +Select the option Enter remote repository URL manually.
Enter the following values for the prompts.
+| Prompt | +value | +
|---|---|
| Configure source repository | +Enter remote repository URL manually |
+
| Remote repository URL | +Your forked repository | +
| Branch | +main |
+
| Directory | +. |
+
| Build-pack | +nodejs |
+
| Language Version | +20.x.x |
+
| Port | +8080 |
+
Note
+The prompts may vary based on the type of component and the chosen build pack.
+To view comprehensive information about the component, including basic details and service endpoint URLs once the services are deployed, you can use the following command:
+ + +You must build the components before deploying them to a specific environment. Execute the following command to trigger the build:
+ + +To check the status of a specific build, run the following command, replacing
Note
+Typically, a build takes approximately 2 to 5 minutes to complete.
+Once the build is complete, you can view the build logs for verification or debugging purposes. In the unlikely case, the build encounters any issues, the logs will help you troubleshoot.
+choreo logs --type=build --project="web-app-project" --component="my-web-app" --deployment-track="main" --build-id=<build_id>
+Once the build status indicates successful you can deploy the component in the Development environment by running the following command:
choreo create deployment "my-web-app" --env=Development --project="web-app-project" --build-id=<build-id>
+After deploying the component, you can retrieve the URL of the deployed web application and open the publicly available web page to verify its behavior. Use the following command to retrieve the URL:
+ + +To observe runtime application logs of the web application in the Development environment, execute the following command:
+choreo logs --type component-application --component my-web-app --project web-app-project --env Development --follow
+Once you verify your application in the Development environment, you can proceed to deploy it to the Production environment with the following command:
+choreo create deployment "my-web-app" --env=Production --project="web-app-project" --build-id=<build-id>
+To ensure a successful deployment to the Production environment, retrieve the URL of the deployed web application using the following command:
+ + +Congratulations! You successfully deployed your web application in Choreo using the Choreo CLI.
+Discover other functionalities of Choreo by running the following command.
+ + + + + + + +The Choreo Marketplace promotes and facilitates reusing and sharing services. It allows you to share all the services deployed in Choreo. +You can easily browse and search available services within the Marketplace and refer to the service definitions, documentation, instructions on how you can use it, etc.
+
The Marketplace includes all services deployed in your organization. This may be a large number of services. Therefore, effective discoverability is desirable.
+You can use the search or apply various filter criteria to explore the services available.
+The top search bar provides universal searching to find the services. It allows you to search for a text in the following search attributes:
+The Choreo Marketplace provides a filtering capability through the left-hand side filter panel. It allows you to filter with the following filter attributes:
+Type: This filter enables you to categorize services based on their type, with two available options: "Internal" and "Third-party". "Internal" refers to services deployed within Choreo, while "Third-party" refers to services running externally to Choreo, independently added to the Marketplace.
+Network Visibility: This filter enables you to categorize services based on their network visibility level, with three choices: "Public," "Organization," and "Project". "Public" filters services exposed publicly, "Organization" represents services exposed across the entire organization, and "Project" represents services exposed at the project level.
+You can click on the service card to open the detailed view of the service. The detailed service page features the service name, summary, version, labels, and service icon as the header.
+Choreo organizes the service content into four tabs. The four tabs contain information as follows:
+Overview: Choreo displays the service overview provided by the service developer. If the service developer has not provided any content at service creation, this section will be disabled. The service developer can provide the overview content via the Manage → Marketplace section of the component.
+API definition: Includes the API definition for the service, extracted from the component.yaml file in the user repository. If an API definition is not provided, this tab will be empty.
Note
+If you are are currently using the component-config.yaml or endpoints.yaml configuration files, see the respective migration guide for instructions on migrating to the recommended component.yaml configuration file.
How to use: Includes instructions on how to use the selected service. This includes instructions on creating a connection.
+Related documents: Includes any additional content the user has provided as documents through the Manage -> Marketplace section of the component.
+You can add services to the Marketplace as Choreo services as follows:
+In Choreo, a service exposed through the platform is termed a Choreo service, with each service being identifiable by an endpoint within a Choreo service component. The Marketplace showcases a service for each endpoint within a service component.
+Upon deployment to the initial environment, services get automatically added to the Marketplace. Choreo effortlessly collects essential details such as component name, endpoint name, description, and service definitions during this deployment, utilizing them to generate the corresponding service entries in the Marketplace.
+The service name follows the convention of component name - endpoint name, while all other details remain unchanged.
In the Choreo Marketplace, service versions are displayed in their major version format. Each service in the Choreo Marketplace represents the latest version of the service within its major version, following semantic versioning principles.
+For example, if a Choreo service has versions v1.0, v1.1, v1.2, and v2.0, the Choreo Marketplace displays services with versions v1 and v2 representing the latest versions v1.2 and v2.0 respectively.
When you deploy a new minor version of a service already deployed in Choreo, the corresponding service in the marketplace automatically updates to reflect the latest version within the same major version.
+When you use a service from the Choreo marketplace as a dependency, the dependent service's traffic automatically routes to the latest version of the corresponding service within the same major version. This ensures that your dependencies remain up-to-date without requiring manual updates within a major version.
+For example, if you create a connection to connect your Choreo component named Foo to a Choreo service named Bar, which is currently available in the Choreo Marketplace as version v1, and if the latest version of the service Bar within the v1 range is v1.2, the component Foo will automatically connect to Bar v1.2. Subsequently, when Bar releases version v1.3, traffic from Foo will automatically route to Bar v1.3.
You can edit services in the Choreo Marketplace. During redeployment to any environment, Choreo automatically updates service definitions, visibility, and descriptions.
+ + + + + + +Choreo provides a streamlined continuous integration and continuous deployment(CI/CD) experience to deploy applications and services efficiently across multiple environments.
+Choreo creates environments for each project, where all components within the project share the environments. An environment is an isolated deployment area with restricted network and resource access. Services deployed in one environment cannot communicate with services deployed in another.
+The Choreo cloud data plane provides two default environments (i.e., development and production). However, if you are in a private data plane organization, you can customize and create multiple environments based on your requirements.
+Choreo adopts a build once, deploy many strategy to manage components across multiple environments. An application is built only once (i.e., per commit if automatic build on commit is enabled or based on the selected commit during a manual build). Then it is promoted to subsequent environments. This allows testing changes in lower, non-production environments like development before promoting the build to production.
+Choreo injects configurations and secrets that you maintain at the environment level into components at runtime. This ensures a strict separation of environment-specific configurations from source code. Although configurations can vary across environments, the code and the built container remain unchanged. Configurations and secrets include:
+All configurations and secrets are encrypted at rest and in transit and stored in a secure vault. In a private data plane organization, you can store configurations and secrets in your infrastructure.
+Choreo auto-generates build pipelines that may slightly differ depending on the component type you create. Generally, all build pipelines work as follows:
+Choreo can replicate builds from an identical code version (Git commit). This means that multiple builds initiated from the same Git commit will generate Docker images with the same behavior.
+Note
+In the event of multiple builds from the same code version, Choreo preserves only the most recent version of the Docker image created from the particular code version.
+On the Build page, click Build Latest. If necessary you have the option to select a particular commit and build an image.
+If you want to automatically trigger a build with each commit, you can enable Auto Build on Commit.
+You can view build logs for specific builds on the Build page.
+To view details of a specific build, click View Details corresponding to the build.
+Once you build an image in Choreo, you can deploy it via the Deploy page. To deploy an image, you can follow one of the approaches given below:
+Manually deploy: In the Deploy page, go to the Set Up card and click Deploy.
+Automatically deploy on build: In the Deploy page, go to Set Up card and enable Auto Deploy on Build. This automatically initiates deployment upon the completion of an automatic build.
+Info
+To enable Auto Deploy on Build, you must enable Auto Build on Commit. This is because automatic deployment is not necessary or useful in scenarios where automatic build is not enabled.
+Note
+In the deploy phase, Choreo uses a setup area to merge the Docker image with its environment-independent configurations. Choreo then deploys this composite to the environment. This is known as the initial deployment.
+Once Choreo deploys a component with configurations, the configurations become immutable. Any subsequent change results in a new deployment.
+Choreo builds a container once per GitHub commit and then promotes it to subsequent higher environments.
+You can go to the Deploy page of a component and promote it manually across environments.
+Choreo allows you to define both environment-independent configurations and environment-specific configurations.
+These configurations apply to all environments.
+To change environment-independent configurations, go to the Deploy page of the component, make the necessary configuration changes via the Set Up card, and then trigger a new deployment to the initial environment. From there, you can proceed to promote the component to higher environments.
+These configurations apply to a particular environment.
+To change environment-specific configurations, go to the Deploy page of the component, make the necessary configuration changes via the specific environment card, and trigger a new deployment.
+To learn more about managing these configurations, see Configuration Management.
+The information on the Execute page is only applicable to scheduled and manual task components.
+To track and monitor executions associated with a deployed scheduled task or manual task, go to the left navigation menu and click Execute.
+You can view current and historic execution details along with a quick snapshot of recent activity via the total count of executions within the last 30 days. For each execution, you can view vital details such as the unique execution ID, the time it was triggered, and relevant revision information. Furthermore, you can dive deeper into the details by clicking on a specific execution to access its associated logs. This information enhances transparency, troubleshooting capabilities, and overall execution management, allowing you to easily monitor and analyze workflows.
+Choreo performs rolling updates to ensure zero downtime between deployments and promotions.
+A new build undergoes a health check before traffic is switched to it from the current build.
+If you configure the necessary health checks for a component, it can prevent deploying and promoting unhealthy versions of a component.
+ + + + + + +A component within a project represents a single unit of work in a cloud native application. A component is usually a single microservice, API, or job/task. Each component in Choreo is attached to a given directory path in a Git repository which either contains program source code or a Dockerfile with build instructions. A component is Choreo’s unit of deployment. Each component maps to a single pod in the Kubernetes cluster (data plane) at deployment time. Therefore, you can deploy, manage, and scale each component in Choreo independently.
+Choreo supports different component types for various use cases. These include component types such as services, API proxies, integrations, web applications, and so on. Each component type hosts unique features based on its characteristics. For example, a scheduled integration component can accept a cron expression as a configuration to schedule an integration job/task.
+ + + + + + +Services can exist in two main forms: standalone and integrated. Connecting services is an integral part in creating integrated solutions. Choreo allows you to connect services using Connections.
+Using Connections, you can integrate the service you intend to deploy on Choreo with other services on Choreo or external resources. Upon creating a connection to a service on Choreo, Choreo provides you a Connection ID along with a set of connection parameters. Thereafter, you have the capability to configure your service to establish a connection using this Connection ID and map connection parameters to environment variable names in your Choreo component. You can read these environment variable names in your service implementation to retrieve the values, to create a programmatic connection to the service you want to consume.
+At runtime, Choreo dynamically injects values into the environment variables based on the configured mapping. This approach ensures that the connection parameter values and the service connection creation remain loosely coupled, providing developers with flexibility and ease of maintenance.
+You can add Connections in different visibility levels: Project and Component. The visibility levels are described below:
+Project Connections are Connections you create to connect to services within a particular project. The Connections can be used by any component within the project.
+For example, if you want to share a third-party service like Twilio across the project for all the components within that project to reuse, you can create a project connection. Components can refer to Project Connections using the connection ID. +Project connections created to consume Choreo services under the OAuth security scheme will share the same OAuth application across the project. Any component reusing such a connection will use the same client ID and client secret.
+Component Connections are Connections you define at the component level and used by only that component.
+For example, create a component connection if you want to connect a legacy service to a given component. Components can refer to the Component Connection using the connection ID. +If your component consumes more than one Choreo service, the Component connections created to consume those Choreo services under the OAuth security scheme can share the same OAuth application by sharing the same client ID and secret between all such connections.
+Learn how you can share and reuse services using connections in Choreo.
+ + + + + + +Choreo's architecture comprises two key components: the control plane and the data plane. The control plane handles essential tasks such as administering organizations, users, and projects. In addition, it also governs the entire journey of application development, from the initial stages of creation, progressing to deployment, including measures to enforce governance and the provision for observability. The Choreo control plane is a SaaS that manages all cloud data planes and private data planes. It caters to diverse user personas, including CIOs, architects, and developers, as well as DevOps, site reliability engineers, and platform engineers.
+The data plane is the environment where user applications are deployed based on configurations set in the control plane. These applications can range from services and web applications to APIs, integrations, and scheduled tasks. The applications can be written in various programming languages, allowing for a polyglot approach. Importantly, all traffic related to the runtime of user applications is restricted to the Choreo data plane, ensuring strict containment of user data within its boundaries.
+Choreo's architecture features two distinct data plane types: cloud data planes and private data planes. A cloud data plane utilizes a multi-tenanted infrastructure model for deploying user applications, creating a shared yet secure environment for application runtime. In contrast, a private data plane(PDP) provides dedicated infrastructure for a single organization to run its user applications. This ensures an added layer of privacy and control for organizations with specific requirements.
+
Choreo private data planes can be deployed with almost all major cloud providers, such as Azure, AWS, and GCP, and are also compatible with on-premises infrastructure.
+The essential requirements for a private data plane include upstream-compatible Kubernetes clusters, a container registry, a key vault (secret store), and a logging service or log storage.
+
Setting up the Choreo PDP system involves using a Helm installation on the Kubernetes infrastructure. +The following software components are installed during the helm execution:
+All of these software components receive automatic updates, including security patches and bug fixes through the flux controller connected to the Choreo Update Management System.
+The private data plane requires communication with the Choreo control plane to manage various activities. All these communications are outbound from the private data plane, ensuring that there is no need to open any specific IP:Port from its perspective for these interactions. However, if an organization's network restricts all outbound traffic, it is necessary to permit outbound traffic to the public IP range of the Choreo control plane.
The following table outlines the inbound and outbound connections from a private data plane:
+| Data plane component | +Endpoint | +Direction | +Protocol | +
|---|---|---|---|
| Choreo PDP agent | +Choreo control plane (CP) (mizzen server) | +Outbound | +WSS | +
| Kubernetes API server | +Outbound (cluster internal) | +HTTPS, WS | +|
| APIM/local adaptor | +Global adaptor | +Outbound | +HTTPS | +
| Azure Service Bus (CP) | +Outbound | +AMQP | +|
| APIM/Enforcer | +Event hub (CP) | +Outbound | +AMQP | +
| Choreo secret resolver | +Cloud secret store | +Outbound (VPC internal) | +HTTPS | +
| Container registry | +Container registry (public) | +Inbound | +HTTPS | +
| Container registry | +Outbound (VPC internal) | +HTTPS | +|
| Certificate manager | +Azure DNS service | +Outbound | +HTTPS | +
| LetsEncrypt | +Outbound | +HTTPS | +|
| Flux source controller | +GitHub | +Outbound | +HTTPS | +
| Flux Helm controller | +Choreo container registry | +Outbound | +HTTPS | +
All communication between the control plane and the private data plane is secured using TLS.
+The following diagram depicts the architecture overview of Choreo's in-data-plane log and observability in Azure PDP:
+
The private data plane observability architecture is centered around a strong commitment to data privacy and compliance. This is achieved through a strategic decision to retain logs and observability data within the data planes itself. Key aspects of this architecture include:
+The Choreo private data plane ensures extensive, production-grade security, ranging from infrastructure and architecture to zero-trust network security. All incoming traffic is protected by a firewall and must undergo authentication and authorization via the API Gateway. It also provides end-to-end network traffic encryption using Cilium transparent encryption, ensuring efficient data path encryption.
+For details on the private data plane security levels supported in Choreo pricing plans, see Private Data Plane Security Levels.
+Choreo supports the following management models for private data planes (PDPs), fostering collaboration between WSO2 and customers across diverse scenarios:
+To explore each management model in detail so that you can make informed decisions depending on the supported cloud-based operations and security, see Private Data Plane Management Models.
+ + + + + + +Deployment Tracks in Choreo are structured pathways for simplified software component deployment. They act like advanced CI/CD pipelines, ensuring your components reach their destinations seamlessly, whether from source code or prebuilt images. They establish an organized and structured approach that minimizes the chances of errors and challenges that are typically associated with deployment workflows.
+Deployment Tracks offer practical solutions to enhance the API consumer experience by addressing two critical challenges:
+Streamlined deployment: Deployment Tracks serve as well-designed routes for your software components, enhancing the organization and reliability of the deployment process, similar to a well-structured express route.
+Efficient API versioning: Especially beneficial for managed APIs, Deployment Tracks provide a straightforward method for creating API versions that seamlessly interact with previous iterations. This simplified version management benefits both API creators and consumers alike.
+For streamlined deployments, Choreo dissects two integral approaches that leverage Deployment Tracks: the comprehensive CI/CD integration and the focused CD-Only strategy.
+A deployment track is linked to a particular branch within a GitHub repository. This connection is useful for handling deployments to various environments. On Choreo's Deploy page, you can easily visualize the deployments to specific environments associated with your selected deployment track. Moreover, the deployment track has a functionality that initiates automatic deployments for the linked branch. When activated, merging a pull request (PR) triggers a deployment to the development environment.
+
If you're inclined to use your own Continuous Integration (CI) systems and want to harness the deployment track as a Continuous Deployment (CD) pipeline, you can seamlessly link deployment tracks to a container registry repository. This configuration empowers users to effortlessly deploy images sourced directly from the linked container registry repository.
+
This section applies to only service components. When working with service components in Choreo, it is important to have an effective API versioning mechanism. Choreo follows a versioning mechanism based on Semantic Versioning (SemVer) but only includes the major version and minor version with the prefix v.
For example, v1.2.
You can follow the approach given below when you version APIs in Choreo:
+What is Semantic Versioning?
+Semantic Versioning (SemVer) is a specification that defines how to assign and increment version numbers for software products, including APIs. For more information, see Semantic Versioning specification.
+One of the primary concerns when dealing with SaaS APIs is to minimize disruption for API consumers while continuously developing and deploying updates.
+In compliance with SemVer, changes that don't introduce breaking or additive modifications to the API are categorized as patch updates. Hover, from the perspective of API consumers, these changes should ideally not disrupt their API clients. Typically, API consumers are most concerned with major API version alterations, but there might be instances where minor version changes are communicated to them.
+Therefore, in the context of deployment tracks, API developers only need to specify the major and minor versions being delivered from a particular deployment track. This information is treated as the API version attribute of a deployment track. If the publisher requires versioning for internal tracking purposes, this can be accomplished in Git through the use of Git tags, on GitHub with GitHub releases, and so forth.
+
An Endpoint is a network-exposed function that resides within a component. In Choreo, service and integration components expose one or more endpoints. Each endpoint in a component can have a service contract (OpenAPI, GraphQL SDL) associated with it. This contract is used to expose the endpoint to consumers. In the absence of a contract, Choreo uses /* exposed on all HTTP verbs as the default contract to expose the service or the integration.
+Each endpoint exposed in a component is considered a single API. Therefore, Choreo allows you to do API management per endpoint for a given component. For example, you can perform lifecycle management and configure security settings per endpoint in a given component.
+See Configure Endpoints to learn how to configure endpoints when developing components in Choreo.
+ + + + + + +Choreo offers developers one or more environments to run their applications within a given data plane. By default, the Choreo cloud data plane provides two environments (i.e., development and production). Each project in Choreo is associated with one or more environments available in the organization. For example, project A may choose to utilize dev, staging, and production environments, while project B may only use development and production environments.
+You can promote components within a project across available environments. When you promote a component, its configuration values can be overridden with environment-specific values.
+The following diagram illustrates how a component is promoted across environments.
+
An organization in Choreo is a logical grouping of users and user resources. A first-time user must create an organization and be a member of it when signing in to Choreo. Users and resources in an organization cannot access resources in another organization unless an admin of the other organization invites them and adds them as a member of that organization. A user cannot create more than one organization.
+If you are a member of more than one organization, you can switch from one organization to another when necessary. To do this, select the required organization from the Organization list in the Choreo Console header.
+An organization administrator can invite users to the organization by assigning them specific groups. Invited users receive an invitation via email. An invited user must accept the invitation to join the organization and access the resources of that organization.
+Choreo manages user permissions with groups and roles.
+A group in Choreo is a collection of users, each with one or more roles assigned to them. Users within a group inherit the permissions associated with the roles assigned to that group. For instance, if a user is added to the API Publisher group, they will automatically receive the API Publisher role.
Choreo comes with predefined groups already configured with specific roles, as follows:
+When creating a new group to invite members, be sure to assign a role to the group to ensure users have the required permissions.
+Choreo roles are defined as follows:
+The Organization ID serves as a unique identifier for each organization. To get the organization ID, follow the steps below:
+The organization handle is a unique string that directly corresponds to your organization's name. To get the organization handle, follow the steps below:
+A project in Choreo is a logical group of related components that typically represent a single cloud native application. A project consists of one or more components. All components within a project can ideally be (but is not restricted to) in a single GitHub repository under different paths. This is also known as the monorepo architecture.
+At deployment time, all components within a given project are deployed into a single namespace of the Kubernetes cluster. Components within a project can be exposed to the public internet, internally to the rest of the organization, or privately within the project only. A project in Choreo is represented as a cell with regard to the Cell-based architecture. The following diagram illustrates a project and how the components within a project are laid out at runtime:
+
The following diagram depicts the high-level resources and their relationships in Choreo.
+
Data planes are connected to the organization and are available for all the projects in the organization. When you create an environment in a project, the data plane connected to the organization is linked with an automatically generated Kubernetes namespace.
+Choreo allows multiple Kubernetes clusters to be associated with an environment.
+This allows you to build highly resilient and resource-efficient solutions that utilize multiple clusters. Choreo synchronizes your applications and workloads between associated clusters in an environment. This allows you to perform multi-cluster deployment with a single click.
+The following diagram depicts how multiple clusters associate with different environments:
+
Note
+It is not necessary to use a different cluster per environment. You can create multiple environments on the same cluster. The above diagram is only an example of a specific solution. Your application architecture may require an entirely different configuration than what is depicted in the diagram.
+Components belong to a project in Choreo and environments are provisioned per project as well. When a component is deployed, it is deployed as a container to the specified environment. Once deployed, you can promote the container image across the environments available in the project.
+ + + + + + +Choreo is a platform that allows you to create, deploy, and consume services seamlessly. The Choreo Developer Portal simplifies discovering and using APIs for API consumers.
+Typically, an application developer who may be internal or external to your organization would want to consume the APIs published in the Developer Portal to develop their applications. In this guide, you will learn how to discover, generate credentials, and test the consumption of a service published in the Choreo Developer Portal. You will also learn how to invoke the service via a web application.
+This guide walks you through the following steps:
+Before you try out this guide, if you do not have a published service that you would want to consume via the Developer Portal, follow Develop a Service documentation to publish and deploy a sample REST API.
+In the Choreo Developer Portal, developers can use the search option to find APIs by name. The APIs and services that are created and published through the Choreo Console become visible in the Developer Portal depending on the API's visibility as follows:
+Public: The API is visible to all in the developer portal.
+Private: The API is visible to the users who only sign in to the Developer Portal.
+Restricted: The API is visible to only the user that has the roles that you specify. This option helps developers to enforce fine-grained access control to the API.
+To learn more about API visibility, see Control API Visibility.
+The Choreo Developer Portal lists APIs based on their major version.
+
The overview page of an API displays the subscribed versions of the API along with the respective subscription details such as the subscribed application and the application creation date.
+
Tip
+If you want to use an API, the recommended approach is to use the latest version of it. You can copy the major version pattern provided as the value of Endpoints(s) on the API overview page and use it in your client application. This ensures that your application always invokes the latest API version.
+An application in Choreo is a logical representation of a physical application such as a mobile app, web app, device, etc. To consume an API in Choreo, you need to create an application that maps to your physical application and then subscribes to the required API over a usage policy plan that gives you a usage quota. A single application can have multiple subscriptions to APIs. Using the consumer key and consumer secret, you can generate an access token that you can use to invoke all the APIs subscribed to the same application.
+This section walks you through the steps to create an application in Choreo.
+Let's get started!
+To create an application in the Choreo Developer Portal, follow the steps given below:
+This creates the application and opens the application overview page. You can view details such as the token type, workflow status, and the application owner of the API.
+Choreo provides an OAuth 2.0 bearer token-based authentication for API access. An API access token/key is a string that is passed as an HTTP header of an API request to authenticate access to the API.
+Once you create an application in Choreo, you can generate credentials for it. When you generate credentials for the first time, Choreo provides a consumer key and consumer secret for the application. The consumer key becomes the unique identifier of the application and is used to authenticate the application.
+The following section walks you through the steps to generate an API access token in Choreo.
+You can generate keys and tokens to invoke production and non-production endpoints separately.
+Note
+The capability to access production endpoints depends on your role. If you have permission to access production endpoints, you can generate keys and tokens to invoke production endpoints.
+Click to expand Advanced Configurations and review the options.
+Click Generate Credentials. This opens the Application Keys pane with values populated for the credentials.
+You can use this consumer key and consumer secret values to generate an API access token by invoking the token endpoint. You can also revoke the access token by invoking the revoke endpoint.
+To generate a test token for testing purposes, you can click Generate Token and copy the test token that is displayed. Alternatively, click cURL and copy the generated cURL command to use via a cURL client and obtain a test token.
+Warning
Make sure you do not use the test token in your production environment.
+ +You must subscribe to a published API to use it in your application. New API subscriptions cover all minor versions within the subscribed API’s major version.
+The subscription process is designed to ensure the secure authentication of API requests via application keys. Alternatively, you can generate credentials for an API without an explicit subscription to an application. However, this approach limits the capability to control advanced configurations such as access token expiry time, revoke token expiry time, ID token expiry time, and enabling access to the API without a secret. Generating keys in the API is recommended for testing or short-term usage but not for long-term production usage.
+To subscribe to an API via an application, follow the steps given below:
+Click Add to subscribe to an API. Depending on your requirement, you can subscribe to one or more APIs.
+Tip
+When a new minor version of an API is published, the major version-based invocation URL will automatically route to the latest minor version within the subscribed API's major version. This ensures that existing client applications can continue to function without disruption while benefiting from the improvements or additions in the newer minor version.
+
Once you subscribe to an API, you can invoke the API using the application keys.
+You can invoke the API/service using the credentials you created above. Since Choreo services are secured, you need to invoke the services securely with the help of your IdP. To invoke the API/service you created securely, you need to follow the steps below:
+In this guide, you will be using the following products and examples:
+Info
+You can use your own web application implementation in place of the sample web application. For this exercise, let's use the choreo-samples/reading-list-app/reading-list-front-end as the web application.
+To host the front-end application in Choreo, you must create a web application component. To create a web application component, follow the steps given below.
+Enter a unique name and a description for the web application. You can enter the name and description given below:
+| Field | +Value | +
|---|---|
| Name | +Reading List Web App |
+
| Description | +Frontend application for the reading list service |
+
Click Next.
+In the Connect Repository pane, enter the following information:
+| Field | +Description | +
|---|---|
| GitHub Account | +Your account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
| Buildpack | +Click React since the frontend is a React application built with Vite | +
| Build Context Path | +reading-list-app/reading-list-front-end |
+
| Build Command | +npm install && npm run build |
+
| Build Output | +dist |
+
| Node Version | +18 |
+
Click Create. This initializes the service with the implementation from your GitHub repository and takes you to the Overview page of the component.
+Let's consume the service through the web app. Choreo services are by default secured. To consume a service in Choreo you need an access token. Let's configure the web application to connect to an IdP (For this guide, let's use Asgardeo) to generate an access token for a user.
+To invoke the service/API in Choreo you require a token. To obtain a token you need to create an OAuth application in the IdP. If you use any other IdP other than Asgardeo, create an OAuth application and set the following:
+Choreo uses Asgardeo as the default identity provider for Choreo applications. When you create an application in the Choreo Developer Portal, it automatically creates a corresponding application in Asgardeo. You can go to the Asgardeo application to specify the configurations required for end users to sign in to the front-end application. Follow the steps below to configure the Asgardeo OAuth application:
+Click the Protocol tab and apply the following changes:
+In this step, you are adding the configurations needed for the web app to successfully invoke the Reading List Service REST API. These configurations need to be updated for each environment you deploy the web app. Here you will be updating the configurations for the development environment.
+Note
The web application is reading the environment-specific configurations from the window object at runtime. This is done via the config.js file in the root of the web application. In this section, you will mount the config.js file for the development environment. You will need to do the same for other environments as well when you deploy your web application to multiple environments.
To configure the front-end application, follow the steps given below:
+Select the mount configuration options as follows and click Next:
+| Field | +Description | +
|---|---|
| Config Type | +Config Map | +
| Mount Type | +File Mount | +
Specify values as follows for the mount configuration:
+| Field | +Description | +
|---|---|
| Config Name | +Web App Config | +
| Mount Path | +/usr/share/nginx/html/config.js. Every config that needs to be exposed through the web server should be placed inside /usr/share/nginx/html/ |
+
Copy the config details as a JSON file as shown below into the text area. Fill the placeholders with the values you copied from the previous steps as mentioned in the table below:
+window.config = {
+ redirectUrl: "<web-app-url>",
+ asgardeoClientId: "<asgardeo-client-id>",
+ asgardeoBaseUrl: "https://api.asgardeo.io/t/<your-org-name>",
+ choreoApiUrl: "<reading-list-service-url>"
+};
+| Field | +Description | +
|---|---|
| redirectUrl | +The web app URL you copied earlier. | +
| asgardeoClientId | +The Client ID of your OAuth application. In Asgardeo, you can find it on the Protocol tab of the readingListApp application | +
| asgardeoBaseUrl | +Specify the IdP API URL (For example, Asgardeo API URL) with your organization name. i.e., https://api.asgardeo.io/t/<ORG_NAME>. |
+
| choreoApiUrl | +The reading list service URL. Copy the Public URL of the Reading List Service component from the endpoint table in the overview page for the relevant environment | +
Click Create.
+Now you can proceed to deploy the web application.
+To deploy the web application component, follow the steps below:
+That's it! You can use a user created in your IdP and invoke the service through your web application.
+ + + + + + +You must subscribe to a published API to use it in your application. New API subscriptions cover all minor versions within the subscribed API’s major version.
+The subscription process is designed to ensure the secure authentication of API requests via application keys. Alternatively, you can generate credentials for an API without an explicit subscription to an application. However, this approach limits the capability to control advanced configurations such as access token expiry time, revoke token expiry time, ID token expiry time, and enabling access to the API without a secret. Generating keys in the API is recommended for testing or short-term usage but not for long-term production usage.
+To subscribe to an API via an application, follow the steps given below:
+Click Add to subscribe to an API. Depending on your requirement, you can subscribe to one or more APIs.
+Tip
+When a new minor version of an API is published, the major version-based invocation URL will automatically route to the latest minor version within the subscribed API's major version. This ensures that existing client applications can continue to function without disruption while benefiting from the improvements or additions in the newer minor version.
+
Once you subscribe to an API, you can invoke the API using the application keys.
+An application in Choreo is a logical representation of a physical application such as a mobile app, web app, device, etc. To consume an API in Choreo, you need to create an application that maps to your physical application and then subscribes to the required API over a usage policy plan that gives you a usage quota. A single application can have multiple subscriptions to APIs. Using the consumer key and consumer secret, you can generate an access token that you can use to invoke all the APIs subscribed to the same application.
+This section walks you through the steps to create an application in Choreo.
+Let's get started!
+To create an application in the Choreo Developer Portal, follow the steps given below:
+This creates the application and opens the application overview page. You can view details such as the token type, workflow status, and the application owner of the API.
+Choreo provides an OAuth 2.0 bearer token-based authentication for API access. An API access token/key is a string that is passed as an HTTP header of an API request to authenticate access to the API.
+Once you create an application in Choreo, you can generate credentials for it. When you generate credentials for the first time, Choreo provides a consumer key and consumer secret for the application. The consumer key becomes the unique identifier of the application and is used to authenticate the application.
+The following section walks you through the steps to generate an API access token in Choreo.
+You can generate keys and tokens to invoke production and non-production endpoints separately.
+Note
+The capability to access production endpoints depends on your role. If you have permission to access production endpoints, you can generate keys and tokens to invoke production endpoints.
+Click to expand Advanced Configurations and review the options.
+Click Generate Credentials. This opens the Application Keys pane with values populated for the credentials.
+You can use this consumer key and consumer secret values to generate an API access token by invoking the token endpoint. You can also revoke the access token by invoking the revoke endpoint.
+To generate a test token for testing purposes, you can click Generate Token and copy the test token that is displayed. Alternatively, click cURL and copy the generated cURL command to use via a cURL client and obtain a test token.
+Warning
Make sure you do not use the test token in your production environment.
+ +Using access tokens for request authorization strengthens security measures, particularly in preventing certain types of denial-of-service (DoS) attacks aimed at published APIs. API consumers generate access tokens to access the API, incorporating them into their HTTP header requests as simple string values.
+When you register an application on the Developer Portal, you can generate a consumer key and a consumer secret for it. The consumer key and the consumer secret represent the credentials of the application. Similar to a user's username, the consumer key becomes the unique identifier of the application so that you can use it to authenticate the request to the API. Choreo issues an access token for the application against the mentioned consumer key.
+This section walks you through the steps to generate an access token for your application in Choreo.
+Let's get started!
+Before you try out this guide, be sure you have the following:
+You can follow the steps below to generate an access token for your application via cURL:
+Use the following template and compile the cURL command with the values you copied in the above step.
+You can follow the steps below to generate an access token for testing purposes:
+An application in Choreo is a logical representation of a physical application such as a mobile app, web app, device, etc. To consume an API in Choreo, you need to create an application that maps to your physical application and then subscribes to the required API over a usage policy plan that gives you a usage quota. A single application can have multiple subscriptions to APIs. Using the consumer key and consumer secret, you can generate an access token that you can use to invoke all the APIs subscribed to the same application.
+This section walks you through the steps to create an application in Choreo.
+Let's get started!
+To create an application in the Choreo Developer Portal, follow the steps given below:
+This creates the application and opens the application overview page. You can view details such as the token type, workflow status, and the application owner of the API.
+Choreo provides an OAuth 2.0 bearer token-based authentication for API access. An API access token/key is a string that is passed as an HTTP header of an API request to authenticate access to the API.
+Once you create an application in Choreo, you can generate credentials for it. When you generate credentials for the first time, Choreo provides a consumer key and consumer secret for the application. The consumer key becomes the unique identifier of the application and is used to authenticate the application.
+The following section walks you through the steps to generate an API access token in Choreo.
+You can generate keys and tokens to invoke production and non-production endpoints separately.
+Note
+The capability to access production endpoints depends on your role. If you have permission to access production endpoints, you can generate keys and tokens to invoke production endpoints.
+Click to expand Advanced Configurations and review the options.
+Click Generate Credentials. This opens the Application Keys pane with values populated for the credentials.
+You can use this consumer key and consumer secret values to generate an API access token by invoking the token endpoint. You can also revoke the access token by invoking the revoke endpoint.
+To generate a test token for testing purposes, you can click Generate Token and copy the test token that is displayed. Alternatively, click cURL and copy the generated cURL command to use via a cURL client and obtain a test token.
+Warning
Make sure you do not use the test token in your production environment.
+ +Choreo authentication is based on OAuth 2.0. In OAuth 2.0, grant types are methods that allow client applications to obtain an access token depending on the type of the resource owner, the type of the application, and the trust relationship between the authorization server and the resource owner.
+The Authorization code flow provides a secure way for a client application to obtain an access token without exposing the user's credentials to the client application. The user only authenticates with the authorization server, which then issues an authorization code that can be exchanged for an access token.
+This helps to protect user credentials and prevents credentials from being compromised by malicious client applications.
+A refresh token is a token that you can use to get a new access token when your current access token is expired or when you need a new access token. You can use the refresh token grant type for this purpose. Issuing a refresh token is optional for the authorization server. If the authorization server issues a refresh token, it includes it in the response with the access token. You can use this refresh token and send it to the authorization server to obtain a new access token. Choreo's default authorization server, Asgardeo, issues refresh tokens for all grant types other than the client credentials grant type, as recommended by the OAuth 2.0 specification.
+Note
+The client credentials flow provides a secure way for client applications to obtain an access token without user authentication. This is useful in scenarios where the client application needs to access its own resources, such as data storage or APIs, but does not require access to user data. However, it is important to ensure that the client credentials are kept secure because any party who has these credentials can obtain access tokens and access the client's resources.
+The implicit grant flow is an OAuth 2.0 grant type that enables a client application to obtain an access token directly from the authorization server without an intermediate authorization code exchange. This flow is commonly used in browser-based applications where the client application runs in a web browser.
+However, it is important to note that the access token is exposed in the browser's URL fragment, which can make it vulnerable to certain types of attacks, such as cross-site scripting (XSS). As a result, this flow is typically not recommended for applications that require high security.
+The password grant flow is an OAuth 2.0 grant type that enables a client application to obtain an access token by presenting the user's username and password directly to the authorization server. This flow is generally considered less secure than other grant types, as it requires the client application to handle and transmit the user's credentials.
+The password grant is primarily used in scenarios where the client application is highly trusted, and the user experience is prioritized over security concerns. It is generally not recommended for use in public-facing applications or scenarios where sensitive data is accessed.
+Revoking JWT access tokens can be challenging due to their self-validating nature. Once a token is issued, it contains all the necessary information within itself to validate its authenticity, without requiring additional server-side lookups or interactions.
+It is recommended to use an expiry time that is not more than 900 seconds.
+In traditional session-based authentication, the server can easily revoke a session by invalidating its associated session ID. However, in the case of JWTs, there is no central authority that maintains a list of valid or invalid tokens. As a result, revoking a JWT token requires the use of denylist or allowlist techniques, which can add additional complexity to the authentication flow and may not always be foolproof.
+To mitigate these challenges, it is recommended to use short-lived JWT access tokens and regularly refresh them. This reduces the risk of unauthorized access if a token is stolen or leaked, as the token will expire after a short period of time. Additionally, implementing other security measures such as strong encryption and secure token storage can further enhance the security of JWT-based authentication.
+The Choreo Developer Portal keeps the lifespan of a token to 15 minutes (900 seconds) by default. Application Developers can increase the time if necessary, but as mentioned above, it is recommended to keep it to the minimal possible value.
+ + + + + + +You must subscribe to a published API to use it in your application. New API subscriptions cover all minor versions within the subscribed API’s major version.
+The subscription process is designed to ensure the secure authentication of API requests via application keys. Alternatively, you can generate credentials for an API without an explicit subscription to an application. However, this approach limits the capability to control advanced configurations such as access token expiry time, revoke token expiry time, ID token expiry time, and enabling access to the API without a secret. Generating keys in the API is recommended for testing or short-term usage but not for long-term production usage.
+To subscribe to an API via an application, follow the steps given below:
+Click Add to subscribe to an API. Depending on your requirement, you can subscribe to one or more APIs.
+Tip
+When a new minor version of an API is published, the major version-based invocation URL will automatically route to the latest minor version within the subscribed API's major version. This ensures that existing client applications can continue to function without disruption while benefiting from the improvements or additions in the newer minor version.
+
Once you subscribe to an API, you can invoke the API using the application keys.
+Choreo's application-sharing feature allows you to share your applications with members within your organization. This facilitates collaborative efforts when there is a need for multiple members to work on the same application.
+Follow the steps given below to share an application with members of your organization:
+In the Share Application dialog, enter one or more email addresses depending on the members with whom you want to share the applications.
+Note
+You must type an email address and press enter for it to get added.
+Click Confirm. This will share the application in read-only mode with the specified members.
+To see the members with whom the application is shared, go to the Application Overview page and take a look at the email addresses in the Shared with field.
+ + + + + + +Choreo allows you to deploy and manage prebuilt container images from external container registries as Choreo components. This enables you to deploy and effectively manage your container images within the Choreo environment.
+Info
+This feature is currently only available on private data planes (PDPs) for the following component types:
+Before you try out this guide, ensure you have the following:
+A container registry: Ensure you have a container registry containing the images you want to deploy. Choreo is compatible with various container registries, including but not limited to GCR (Google Container Registry), ACR (Azure Container Registry), GitHub Container Registry, and Docker Hub.
+An image in the registry: You need an image ready for deployment.
+(Optional) An external build/CI pipeline: This is to initiate automatic deployments during the build process outside of Choreo.
+When using a container registry to deploy a component, Choreo cannot create an image from the source code (Git) or initiate a new deployment when a new image is ready. However, you can use your existing build process to trigger a deployment on Choreo by sending an HTTP POST request to a webhook with the new image details.
+This feature is currently only available on private data planes (PDPs). You can find this option under Deploy an image from a container registry in the Select Source step during component creation for service components, web applications, scheduled tasks, and manual tasks.
+To get started, establish a connection between your container registry and Choreo.
+Info
+When you use your Choreo credentials, Choreo does not pull your images into its control plane. Instead, it functions as an orchestrator, facilitating your data plane's ability to retrieve images from an external container registry. Choreo passes on these credentials to the data plane for authentication and access.
+To register your container registry, follow these steps:
+Choreo provides the following authentication options:
+You can use this option to establish a connection with a container registry that permits unrestricted public or anonymous access (for example, Public Docker Hub). In this case, only the registry host information is necessary.
+For example, the following are the Docker Hub registry hosts for reference:
+| Vendor | +Registry host | +
|---|---|
| Docker Hub (public repositories) | +registry.hub.docker.com |
+
| Docker Hub (private repositories) | +registry.docker.com |
+
* If necessary, you can use other mirrors instead of the above.
+To use basic authentication to authenticate to the container registry, you must provide the username and password.
+You can provide a Docker config in JSON format to authenticate to the container registry. This option only allows you to register one container registry. That is, it only allows a single registry under auths.
You must provide the credentials directly within the configuration. Choreo cannot utilize references to executable authentication plugins.
+Sample Docker config format:
+ + +This option is specifically for private data planes, where your cloud provider manages authentication at the Kubernetes level. Choreo requires knowledge of the registry host because the data plane already possesses implicit (preconfigured) access to the registry.
+Follow the guidelines below based on your container registry:
+Azure Container Registry
+Recommended authentication options:
+Vendor-specific authentication on Azure private data planes
+Contact Choreo support to enable infrastructure-level private access to your registry from your Azure private data plane on AKS. If you are on a self-managed PDP on Azure, follow this guide.
+Google Artifact Registry
+Recommended authentication options:
+Service account-based basic authentication
+Use the service account key in JSON format (_json_key) as the username and specify the minified JSON contents of the service account key as the password.
You can use jq as follows to minify the service account JSON key file:
jq -c . <service-account.json>
Vendor-specific authentication on GCP private data planes
+Contact Choreo support to enable infrastructure-level private access to your registry from your GCP private data plane on GKE. If you are on a self-managed PDP on GCP, see https://cloud.google.com/artifact-registry/docs/access-control#grant-project.
+Elastic Container Registry
+ECR does not allow the creation of static access passwords for basic authentication. The passwords (that is, access tokens) provided by AWS are only valid for 10 hours and must be manually regenerated. However, when an ECR is attached to an EKS cluster at an infrastructure level, this limitation does not apply because the authentication is handled by AWS internally. For details, see https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html.
+Choreo recommends using ECR when you are exclusively on an AWS private data plane using the vendor-specific authentication option. Contact Choreo support to enable a private connection between your ECR and the underlying EKS clusters on your data plane. If you are on a self-managed PDP, you can follow this guide.
+Recommended authentication options:
+Basic authentication
+Use your Docker Hub username/password or an access token. You can generate an access token from your Docker Hub account settings and use it in place of the password. For details, see https://docs.docker.com/docker-hub/access-tokens/.
+Docker config
+Sign in to the Docker CLI and copy the contents of the docker config JSON. Note that external credential stores and multiple repositories within the same config object are not supported. For more information, see https://docs.docker.com/engine/reference/commandline/login/.
+GitHub Container Registry
+Recommended authentication option:
+Basic authentication using a PAT token
+Create a personal access token (PAT) and use it in place of the password. You cannot use your own GitHub password. You must provide a PAT token.
+Enter a display name, a unique name, and a description for the component.
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+Click either the Docker Hub tab or the Container Registry tab depending on your vendor.
+Enter the full image URL. The image URL format in general is as follows:
+ [container-registry-host]/[repository-name]/[image-name]:[tag]
Tip
+When a public image from Docker Hub lacks a specified repository name, it typically defaults to /library/. For example, you can access the public Nginx image https://hub.docker.com/_/nginx as registry.hub.docker.com/library/nginx:1.25.
To deploy the component and bring your image to Choreo, follow the steps given below:
+Click Update.
+Info
+In this example, you deploy a Ballerina service as a REST endpoint. Therefore, Choreo generated the REST endpoint automatically. If you deploy a non-Ballerina service, you must manually add the REST endpoint and set the network visibility to Public.
+Select your update image option. Refer to the update options listed below.
+You have the capability of updating the image when you are deploying the component in Choreo in one of the following three ways:
+| Option | +Description | +
|---|---|
| Update Image Tag | +This option allows you to update the tag of the image. | +
| Update Image URL | +With this option, you can change the image name, tag, and the image repository of the image URL. | +
| Previous Images | +This option allows you to select a previous image and redeploy the image. | +
Click Deploy. This deploys the service to the development environment.
+Info
+This section only applies to service components.
+After creating a service component in Choreo, you have the option to define the endpoints for your service when manually deploying a new image.
+endpoints.yaml file by its file name, similar to the Git-based Choreo components. The endpoints template follows the standard definitions for defining endpoints in Choreo. For more details, see Configure Endpoints.Choreo does not have automatic detection and deployment for newly added images or tags in the linked container registry. To overcome this limitation, Choreo allows you to integrate your own CI pipelines and initiate deployments manually. This approach enables you to use your existing CI setup or build a pipeline for image creation and pushing. You can then trigger automatic deployments using a webhook.
+Follow the steps below to configure your CI/build pipeline:
+Generate a token for your CI pipeline from the Manage Tokens section.
+Note
+To trigger an automatic deployment to your development environment, you can initiate an HTTP POST request to the Choreo webhook endpoint with the updated image details. Alternatively, you can use the provided Webhook snippets. This action will seamlessly deploy the image to the development environment.
+Services and integrations are exposed to other services, integrations, or applications through endpoints. A service or an integration can expose multiple endpoints, each representing a unique entry point into the service. For example, a service may expose a REST API endpoint and a GraphQL endpoint, each providing different ways to interact with the service. Endpoints provide specific details for how the service or the integration can be consumed. For instance, the port number, protocol, and the schema such as open API specification (OAS) or GraphQL schema. By defining these details, endpoints make it possible for other services, integrations, and applications to discover and interact with the service in a standardized way.
+Choreo defines endpoints by combining port binding, protocol, endpoint name, network visibility, endpoint schema, and additional protocol-related fields. The following table describes each attribute of an endpoint.
+| Field | +Description | +
|---|---|
| Name | +A unique identifier for the endpoint within the service component. | +
| Port | +The network port on which the endpoint is accessible. | +
| Type | +The endpoint protocol. Supported protocols: REST, GraphQL, gRPC, WS, UDP, and TCP. | +
| Network Visibility | +Determines the level of visibility of an endpoint. Possible values are:
|
+
| Schema | +Specifies the structure and format of the data exchanged through the endpoint. | +
| Context (HTTP and GraphQL only) | +A context path that you add to the endpoint's URL for routing purposes. | +
The method of defining endpoints depends on the buildpack. For buildpacks other than Ballerina and WSO2 MI, it is required to have an component.yaml file in project root directory to create the Service component.
When you build a service component using any other buildpacks(Java, Python, NodeJS, Ruby, PHP, Go, Dockerfile, etc) other than Ballerina and WSO2 MI, you can configure the endpoint details with the component.yaml source configuration file. You must place this file inside the .choreo directory at the build context path and commit it to the source repository.
To learn about the component.yaml file, see Overview of the component.yaml file.
When you create a service component with the Ballerina buildpack, Choreo automatically detects the endpoint details for REST APIs. You can override the auto-generated endpoint configuration by providing the component.yaml file in the source directory.
Note
+Automatic endpoint generation is not supported for dynamic endpoint parameters such as variable ports. Therefore, you must use an component.yaml file to define dynamic endpoint parameters.
To learn about the component.yaml file, see Overview of the component.yaml file.
Exposing endpoints as managed APIs is crucial to ensure secure and controlled access to the services being exposed. When a user wants to expose their written service to the outside world or to the organization at large, there is an inherent security risk involved. To mitigate this risk, the Choreo platform is built with an internal (access within the organization only) or external (publicly accessible) gateway that is protected with Choreo API management making the services secure by design.
+Note
+This feature is not available for gRPC, UDP, and TCP endpoints.
+If you want to expose an endpoint as a managed API in Choreo, you need to set the network visibility to either Organization or Public. This allows the endpoint to be exposed through the Choreo API Gateway, which provides a number of benefits, including:
+Once you deploy the service component, Choreo will expose the endpoint as a managed API through the Choreo API Gateway. You can then use the full lifecycle API management features provided by Choreo to test, deploy, maintain, monitor, and manage your API using the API management features.
+The default URL of a component corresponds to the default endpoint of the component and is structured as follows:
+<domain>/<project-name>/<component-name>
This URL does not include the default endpoint name. For all other endpoints, the URL structure includes the endpoint name, as follows:
+<domain>/<project-name>/<component-name>/<endpoint-name>
If a component has multiple endpoints, Choreo allows you to change the endpoint corresponding to the default component URL. For a component with a single endpoint, the default URL automatically corresponds to that endpoint.
+To change the default endpoint of a component, follow the steps given below:
+Note
+Services and integrations are exposed to other services, integrations, or applications through endpoints. A service or an integration can expose multiple endpoints, each representing a unique entry point into the service. For example, a service may expose a REST API endpoint and a GraphQL endpoint, each providing different ways to interact with the service. Endpoints provide specific details for how the service or the integration can be consumed. For instance, the port number, protocol, and the schema such as open API specification (OAS) or GraphQL schema. By defining these details, endpoints make it possible for other services, integrations, and applications to discover and interact with the service in a standardized way.
+Choreo defines endpoints by combining port binding, protocol, endpoint name, network visibility, endpoint schema, and additional protocol-related fields. The following table describes each attribute of an endpoint.
+| Field | +Description | +
|---|---|
| Name | +A unique identifier for the endpoint within the service component. | +
| Port | +The network port on which the endpoint is accessible. | +
| Type | +The endpoint protocol. Supported protocols: REST, GraphQL, gRPC, WS, UDP, and TCP. | +
| Network Visibility | +Determines the level of visibility of an endpoint. Possible values are:
|
+
| Schema | +Specifies the structure and format of the data exchanged through the endpoint. | +
| Context (HTTP and GraphQL only) | +A context path that you add to the endpoint's URL for routing purposes. | +
The method of defining endpoints depends on the buildpack. For buildpacks other than Ballerina and WSO2 MI, it is required to have an component.yaml file in project root directory to create the Service component.
When you build a service component using any other buildpacks(Java, Python, NodeJS, Ruby, PHP, Go, Dockerfile, etc) other than Ballerina and WSO2 MI, you can configure the endpoint details with the component.yaml source configuration file. You must place this file inside the .choreo directory at the build context path and commit it to the source repository.
To learn about the component.yaml file, see Overview of the component.yaml file.
When you create a service component with the Ballerina buildpack, Choreo automatically detects the endpoint details for REST APIs. You can override the auto-generated endpoint configuration by providing the component.yaml file in the source directory.
Note
+Automatic endpoint generation is not supported for dynamic endpoint parameters such as variable ports. Therefore, you must use an component.yaml file to define dynamic endpoint parameters.
To learn about the component.yaml file, see Overview of the component.yaml file.
Exposing endpoints as managed APIs is crucial to ensure secure and controlled access to the services being exposed. When a user wants to expose their written service to the outside world or to the organization at large, there is an inherent security risk involved. To mitigate this risk, the Choreo platform is built with an internal (access within the organization only) or external (publicly accessible) gateway that is protected with Choreo API management making the services secure by design.
+Note
+This feature is not available for gRPC, UDP, and TCP endpoints.
+If you want to expose an endpoint as a managed API in Choreo, you need to set the network visibility to either Organization or Public. This allows the endpoint to be exposed through the Choreo API Gateway, which provides a number of benefits, including:
+Once you deploy the service component, Choreo will expose the endpoint as a managed API through the Choreo API Gateway. You can then use the full lifecycle API management features provided by Choreo to test, deploy, maintain, monitor, and manage your API using the API management features.
+The default URL of a component corresponds to the default endpoint of the component and is structured as follows:
+<domain>/<project-name>/<component-name>
This URL does not include the default endpoint name. For all other endpoints, the URL structure includes the endpoint name, as follows:
+<domain>/<project-name>/<component-name>/<endpoint-name>
If a component has multiple endpoints, Choreo allows you to change the endpoint corresponding to the default component URL. For a component with a single endpoint, the default URL automatically corresponds to that endpoint.
+To change the default endpoint of a component, follow the steps given below:
+Note
+Using Choreo, you can easily deploy applications written in different language frameworks (such as Java, Go, NodeJS, Python, etc.) on shared or private data planes using containers.
+Choreo supports deploying containerized applications for the following component types:
+To connect your GitHub repository to Choreo, you should authorize the Choreo Apps GitHub application to access your account or organization. When you attempt to connect your GitHub repository via the Component creation page, the Choreo Apps authorization prompt will appear.
+Connect GitHub Repository
+
Authorize GitHub Application
+
Grant Repository Access
+
The Choreo Apps requires the following permission:
+Note
+You can revoke access if you do not want Choreo to have access to your GitHub account. Choreo needs write access only to send pull requests to a user repository. Choreo does not directly push any changes to a repository.
+Alternatively, you can connect a public repository without requiring authorization from the Choreo Apps GitHub application. You can paste a public repository URL in the Provide Repository URL field at the time of component creation.
+Tip
+Authorizing the repository with the Choreo Apps GitHub application becomes essential if you want to enable Auto Deploy for the component. If you own the repository, you can subsequently authorize it with the Choreo Apps GitHub application to enable Auto Deploy.
+After granting access to the required repositories, you can choose a repository and an associated branch to connect to the Choreo component. +For the containerized application deployments, you should select the Dockerfile as the Buildpack and provide Dockerfile Path and Docker Context Path for the Docker build.
+
The following table describes the individual fields in the Create Component pane.
+| Field | +Description | +
|---|---|
| GitHub Account | +Your GitHub account or organization. If you want to add another GitHub account, you can expand the list and click + Add. | +
| GitHub Repository | +Depending on the repository access you provided, the list will show available repositories to be connected. | +
| Branch | +The branch of the repository. | +
| Buildpack | +Determines the implementation of the component: Any language or other language as a Docker container. | +
| Dockerfile Path | +The path to your Dockerfile. This path is defined relative to the repository root. For example, if the Dockerfile is at the repository root, the value for this field is /Dockerfile. |
+
| Docker Context Path | +The Docker build context path. To include the repository root, leave the default / value. |
+
| Port* | +The port at which your service is running. | +
| OpenAPI Filepath* | +The path to an OpenAPI specification (in YAML/JSON) relative to the repository root. If you don't provide a path, the system automatically generates a default allow-all specification. | +
Note
+Fields marked with * are not visible for all component types.
+To successfully build your container with Choreo, it is essential to explicitly define a User ID (UID) under the USER instruction in your Dockerfile. You can refer to the sample Dockerfile for guidance.
To ensure that the defined USER instruction is valid, it must conform to the following conditions:
+10001 or 10500.my-custom-user-12221 or my-custom-user are invalid User IDs.Choreo will automatically apply deployment configurations and settings based on the component type you select during creation. +For example, if you select the Service component type, Choreo will deploy it as a Kubernetes deployment with appropriate scaling configurations.
+You can run unit tests in the build pipeline by adding the relevant command to the Dockerfile. For example:
+ +You must provide any required configurations for running the application in the Configs & Secrets section of the component's DevOps page. Alternatively, you can also review the configurations when you manually deploy via the Deploy page.
+After clicking the Create button, you can select the confidentiality of the configuration and specify how to mount it to the container.
+
The following image shows adding a ConfigMap with File Mount mount type to be read by the application.
+
Note
+The JSON file includes ${DB_PASS} as an environment variable defined in a Secret. The application reads the JSON file and substitutes the placeholders with the corresponding environment variables.
+Choreo lets you configure deployment settings such as scaling, resource limits, and health checks based on your selected component type.
+For more information about these configurations, see Choreo's DevOps capabilities.
+You can configure the Endpoints to expose your service using the Service Component in Choreo. See Service Component Overview for more information.
+After adding the application configuration, you can build and deploy it by clicking the Deploy Manually button. Choreo will start the build process with the selected commit in the Build Area.
+Note
+The Auto Deploy on Commit feature, which automatically builds and deploys the application upon pushing a code change to the repository, is enabled by default. To turn off this feature, navigate to the Build Area of the Deploy page.
+Choreo scans your Dockerfile for security vulnerabilities during the build phase, and if there are no issues found, it proceeds with the build process. After building the image, it scans it again for vulnerabilities before deployment to the environment. You can view the build logs from the right-side panel, as shown in the image below.
+
Once the build process is complete, Choreo will deploy the application automatically to the Development environment. To promote the build to higher environments, you can click the Promote button. The number of environment cards visible on the page may vary depending on your environment configurations.
+By default, Choreo utilizes the Aqua Trivy (OSS) image vulnerability scanner to detect security vulnerabilities in all Dockerfile-based build pipelines. The scanner will fail the pipeline if any CRITICAL CVEs (Common Vulnerabilities and Exposures) are detected. CVEs of other severity levels are recorded but does not fail the pipeline.
+If you cannot fix a critical CVE immediately, you can opt to ignore it. To ignore a critical CVE, add a trivyignore (<docker-build-context-path>/.trivyignore) file to your build context path. In the file, add the CVEs you need the pipeline to ignore, one entry per line as follows:
You can add comments in the file by using # in front of the comment as follows:
Using Choreo, you can easily deploy applications written in different language frameworks (such as Java, Go, NodeJS, Python, Ruby, PHP, etc.) on shared or private data planes.
+Choreo supports deploying applications with buildpacks for the following component types:
+Buildpacks are a fundamental building block in modern application development. They convert your source code into a secure, efficient, production-ready container image without a Dockerfile. With Choreo, developers can take advantage of this powerful tool to effortlessly deploy their applications without the hassle of manual configuration.
+Choreo uses Google Buildpacks as default buildpacks for Java, Go, NodeJS, Python, PHP, and Ruby. Choreo uses its own buildpacks for Ballerina and WSO2 MI.
+To develop a service component that exposes a Service in Go, you can follow the Develop a Service guide.
+Follow the guidelines below based on your language:
+Supported Versions - 3.10.x, 3.11.x
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Reading Books List Service | +
| Manual Task | +Hello World Task | +
A Procfile is a configuration file used to declare the commands that are run by your application's containers.
Info
+In Python projects, it is mandatory to have a Procfile with the web process type in the project root directory.
Here's an example Procfile for an application:
e.g.,
+web: python main.py
+web: gunicorn --bind :8080 --workers 1 --threads 8 --timeout 0 main:app
+web: flask run --host=0.0.0.0
For more examples, see Choreo samples.
+Supported Versions - 2201.3.5, 2201.4.1, 2201.5.0, 2201.5.1, 201.6.0, 2201.7.0
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Echo Service | +
| Manual Task | +Covid19 Statistics To Email | +
| Webhook | +Salesforce New Case To Google Sheet | +
| Scheduled Task | +Shopify New Customers to HubSpot Create/Update Contact | +
For more examples, see Choreo samples.
+Supported Versions - 1.x
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Greeting Service | +
| Manual Task | +Hello World Task | +
| Web Application | +Hello World Web Application | +
For more examples, see Choreo samples.
+Supported Versions - 6.x, 7.x, 8.x
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Greeting Service | +
For more examples, see Choreo samples.
+Supported Versions + - 8, 11, 17, 18 (OpenJDK Runtime Environment Temurin)
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Product Management Service | +
| Manual Task | +Hello World Task | +
Info
+When working on Java projects:
+Main class should be defined in the manifest file.mvn.cmd exist in the project without the .mvn directory, the build will fail. To ensure a successful build, you must either commit the .mvn directory along with any Maven files or not include any Maven files in the project if you choose not to commit the .mvn directory.A Procfile is a configuration file used to declare the commands that are run by your application's containers.
+If you want to customize the default entry point of the container, you can include a Procfile with the web process type in the project root directory.
+In Java projects, it is optional to include a Procfile.
Here's an example Procfile for an application:
e.g.,
+web: java -jar target/sample.jar
For more examples, see Choreo samples.
+Supported Versions - 12.x.x, 14.x.x, 16.x.x, 18.x.x, 20.x.x
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Reading Books List Service | +
| Manual Task | +Hello World Task | +
A Procfile is a configuration file used to declare the commands that are run by your application's containers.
+If you want to customize the default entry point of the container, you can include a Procfile with the web process type in the project root directory.
+In NodeJS projects, it is optional to include a Procfile.
Here's an example Procfile for an application:
e.g.,
+web: node app.js
For more examples, see Choreo samples.
+Supported Versions - 8.1.x, 8.2.x
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Hello World Service | +
| Manual Task | +Hello World Task | +
| Web Application | +Hello World Web Application | +
A Procfile is a configuration file used to declare the commands that are run by your application's containers.
+If you want to customize the default entry point of the container, you can include a Procfile with the web process type in the project root directory.
+In PHP projects, it is optional to include a Procfile.
Here's an example Procfile for an application:
e.g.,
+web:php -S 0.0.0.0:8000 index.php
For more examples, see Choreo samples.
+Supported Versions - 3.1.x, 3.2.x
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Hello World Service | +
| Manual Task | +Hello World Task | +
| Web Application | +Hello World Web Application | +
A Procfile is a configuration file used to declare the commands that are run by your application's containers.
+If you want to customize the default entry point of the container, you can include a Procfile with the web process type in the project root directory.
+In Ruby projects, it is optional to include a Procfile.
Here's an example Procfile for an application:
e.g.,
+web: ruby app.rb
+web:bundle exec ruby app.rb -p 8080
For more examples, see Choreo samples.
+Supported Versions - 4.1.0.x, 4.2.0.x
+Refer below examples for different component types. Follow the readme.md inside the example.
| Component Type | +Example | +
|---|---|
| Service | +Hello World Service | +
For more examples, see Choreo samples.
+Supported Java Versions + - 8, 11, 17, 18 (OpenJDK Runtime Environment Temurin)
+Info
+You can use this buildpack only with web applications. For other component types, use the Java buildpack. Additionally, if the generated artifact is a WAR file, it is necessary to include a Procfile.
A Procfile is a configuration file used to declare the commands that are run by your application's containers.
+If you want to customize the default entry point of the container, you can include a Procfile with the web process type in the project root directory.
+In Java projects, it is optional to include a Procfile.
Here's an example Procfile for an application:
e.g.,
+web: java -jar target/sample.war
You can configure the environment variables necessary to build the component using the Build Configurations Editor on the component Build page.
+Info
+The capability to configure build-time environment variables is not available for components created using Ballerina or WSO2 MI buildpacks.
+During the build process, the build-time environment variables and their values are passed to the buildpack. Therefore, you can configure both buildpack-specific environment variables and those required for the component build.
+For example, if you want to override the Maven command of the Java buildpack, you can use GOOGLE_MAVEN_BUILD_ARGS as the environment key and clean install as the value.
For more examples, see Google Cloud's buildpacks documentation.
+ + + + + + +Choreo allows developers to design high-quality webhooks. To explore this capability, let's consider a scenario where a team of software engineers in an organization should be notified via email whenever someone creates a GitHub issue with the bug label in a specific repository.
In this tutorial, you will address the requirement by doing the following:
+Before you try out the steps in this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.Fork the Choreo samples repository, which contains the sample integration for this guide.
+To create a project, add a Webhook component to it, design the webhook, test it, and then commit it to make it available in the Choreo Console, follow these sub-steps:
+First, let's create a Webhook component as follows:
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Select the Access Mode depending on your requirement.
+Enter the following information:
+| Field | +Description | +
|---|---|
| GitHub Account | +Your account | +
| GitHub Repository | +choreo-samples | +
| Branch | +main |
+
| Buildpack | +Ballerina | +
| Project Path | +github-event-to-email-webhook |
+
Click Create.
+Choreo creates the Webhook component with the sample implementation and opens the component Overview page.
+Let's deploy the webhook to the development environment to make it invokable:
+In the Configurations pane, enter the following information:
+In the webhookSecret field, enter any value.
+Note
+You must save this value for later use.
+In the toEmail field, enter the email address to send notification emails.
+You can monitor the deployment progress in the Console pane that opens on the right of the page.
+Once Choreo completes the deployment, the Development card indicates the Deployment Status as Active.
+Notes
+In the deployment card, you can click the icon corresponding to configurables to open the Configurations pane and edit configurations:
+To allow the webhook to read the labels of issues in a specific GitHub repository, you must connect the webhook to the GitHub repository. To do this, follow these steps:
+In the Choreo Console left navigation menu, click Overview.
+On the Overview page, copy the invoke URL. You can click the copy icon within the URL field.
+Go to your GitHub account and open the repository for which you want to generate notification emails.
+In the top menu, click the Settings tab.
+In the left navigation menu, click Webhooks.
+Click Add webhook and enter the following information:
+| Field | +Value | +
|---|---|
| Payload URL | +The invoke URL you copied in Step 3, sub-step 1. | +
| Content Type | +Select application/json |
+
| Secret | +The last webhook secret you configured in Step 2. | +
Tip
+Buildpack specifies the type of build to run depending on the implementation of the component. It converts the integration code into a Docker image that can run on Choreo cloud. If an integration is developed using WSO2 Integration Studio, select Micro Integrator as the buildpack. If an integration is developed using the Ballerina language, select Ballerina as the buildpack.
+Project Path specifies the location of the project to build the component.
+Under Which events would you like to trigger this webhook?, select Let me select individual events.
+Select the Issues checkbox in the list of events displayed.
+By doing so, you select GitHub issues as events that need to trigger this webhook.
+In the same list of events, clear the Pushes checkbox to ensure that GitHub does not trigger your webhook when the team pushes changes to the selected GitHub repository.
+Click Add webhook to save the configuration.
+Now you have integrated Choreo with GitHub via the webhook you created and deployed. You can proceed to test the webhook.
+To test your webhook, create a GitHub issue with the Bug label in the repository that you connected to the webhook.
You will receive a mail similar to the following to the email address you provided in Step 2.
+To promote the webhook to the Production environment, follow these steps:
+On the Deploy page, go to the Development card and click Promote.
+In the Configuration Types pane, leave the default selection (i.e., Use default configuration values) unchanged.
+If you have configured any default values for the configurable variables, selecting Use default configuration values allows you to proceed with those values.
+If you have not configured any default values for configurable variables, follow the steps given below to specify values.
+Click Next.
+In the webhookSecret field, enter any value.
+Note
+You must save this value for later use.
+In the toEmail field, enter the email address to send notification emails.
+Once the component is promoted to production, the Production card displays the deployment status as Active.
+Now you have successfully created, deployed, and tested a Webhook component and promoted it to production.
+ + + + + + +An API proxy acts as an intermediary between an existing API and Choreo, intercepting all requests made to the API. It also functions as a managed API, which allows you to apply essential API management features such as security policies and rate limiting.
+In this guide, you will:
+Before you try out this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+To create an API proxy, you can either upload an OpenAPI specification or provide an OpenAPI specification URL. In this guide, you will specify a URL to an OpenAPI definition of a sample API.
+Follow the steps given below:
+Specify the values given in the following table as API proxy details:
+Info
+In the Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Display Name | +HR API |
+
| Name | +hr-api |
+
| Context | +abc-hr |
+
| Version | +1.0 |
+
| Target | +https://samples.choreoapps.dev/company/hr |
+
| Access Mode | +External | +
Click Create.
+This creates the API proxy component and takes you to the Overview page. Now you can proceed to define resources for the API proxy.
+To add a new resource that can retrieve a department by the department ID, follow the steps given below:
+/department/{departmentId} as the URI Pattern.Click to expand the added resource and specify appropriate values for the Operation ID and Description fields. You can specify the values given in the following table:
+| Field | +Value | +
|---|---|
| Operation ID | +findDepartment |
+
| Description | +Find a department by department ID |
+
To remove the five default resources that start with /*, click the delete icon corresponding to each resource. This marks the resources for deletion.
To deploy the API proxy to the development environment, follow the steps given below:
+In the left navigation menu, click Deploy.
+In the Build Area card, click Configure & Deploy. This opens the Configure & Deploy pane, where you can select the API access mode depending on how you want the API to be accessible. Here, you can select External.
+Click Deploy. The Development card indicates the Deployment Status as Active when the API proxy is successfully deployed.
+Now you are ready to test the API proxy.
+Choreo allows you to test your API proxy using either the integrated OpenAPI Console or cURL.
+In this guide, you will use the OpenAPI Console to test the API proxy.
+Follow the steps given below:
+Tip
Choreo enables OAuth 2.0 to secure APIs by default. Therefore, you need an access token to invoke an API.
+In the left navigation menu, click Test and then click OpenAPI Console.
+Select Development from the environment drop-down list.
+Expand the GET /department/{departmentId} resource and click Try it Out to test it.
Enter 1 as the departmentId and click Execute. You will see a response similar to the following:
This indicates that your API proxy is working as expected.
+Now that you have a tested API proxy, you can publish it and make it available for application developers to consume. Depending on your requirement, you can apply security, throttling, and other settings to the API before you publish it.
+In this guide, you will apply rate limiting to the API and publish it.
+To apply a rate limiting level to the API, follow the steps given below:
+To publish the API proxy to the Choreo Developer Portal, follow the steps given below:
+To generate credentials for the published API and to invoke it via the Choreo Developer Portal, follow the steps below:
+To open the published API in the Choreo Developer Portal via the Lifecycle page, click Go to Devportal. This takes you to the HR API in the Choreo Developer Portal.
To generate credentials to test the API, follow the steps given below:
+Click Generate Credentials. Choreo generates new tokens and populates the Consumer Key and Consumer Secret fields.
+Tip
+If you want to test the API via an API test tool or through code, click Generate Access Token and copy the test token that is displayed. Alternatively, click cURL and copy the generated cURL command to use via a cURL client. You do not need to generate an access token if you are testing the API via the Try Out capability in the Choreo Developer Portal.
+To invoke a resource via the Try Out capability in the Choreo Developer Portal, follow the steps given below:
+GET /department/{departmentId} resource and click Try it out.Enter 1 as the departmentId and click Execute. You will see a response similar to the following:
Now, you have gained hands-on experience creating, deploying, testing, and publishing an API proxy using Choreo API Manager.
+To learn more about the API management capabilities supported by Choreo API Manager, see API Management.
+ + + + + + +The Choreo VS Code extension provides comprehensive component management capabilities to streamline local development within Choreo.
+To ensure a smooth development experience with the Choreo extension, make sure you have the following:
+Visual Studio Code installed with the Choreo extension version 2.0.0 or later.
+A locally cloned GitHub repository to create new components or link to existing Choreo components.
+Git version 2.0.0 or later.
+To use the capabilities of the Choreo extension in the VS Code editor, you need an active Choreo account. If you already have an account, follow these steps to set up the extension:
+Sign in to Choreo using one of the following methods:
+
Sign In command provided by the Choreo extension.This redirects you to an external URI to complete the authentication process. On successful sign-in, the Choreo activity pane displays your account details along with any components detected within the VS Code workspace.
+Create a new component using one of the following methods:
+
Create New Component command provided by the Choreo extension.If the Choreo extension cannot determine the project context of the opened workspace, it prompts you to select the organization and the project to which the new component belongs.
+Specify component details such as the name, type, buildpack, etc.
+
On successful creation, the component details view opens, and the Choreo activity pane displays the new component.
+
Tip
+Once the component is created, a .choreo/context.yaml file is generated in the root of the Git repository. For more details, see Understand the project context.
The component details view allows you to manage your component by performing various actions such as the following:
+Context files contain metadata related to the project, allowing the extension to establish an association between local directories and Choreo projects. These files, such as the context.yamlfile, resides in the /.choreo directory within the root of the Git repository.
The Choreo extension scans the root of the opened Git repository to find the context.yaml file and lists the components of the associated project. This allows you to easily open and manage the components they are developing within the VS Code workspace.
A context.yaml file can contain multiple projects, whereas, a workspace opened via VS Code can have multiple context.yaml files with different project associations. In such cases, VS Code allows you to switch between these projects, add new project associations, or remove existing ones, allowing you as a developer to focus on components of a particular project at a time.
You can decide whether to commit the context.yaml file to the Git repository. Committing this file enables other team members working on the same repository to have a seamless developer experience with Choreo.
If the context.yaml file for a particular project is not committed to the Git repository or is unavailable for other reasons, you can easily regenerate it using one of the following methods:
Link Directory command provided by the Choreo extension.To access a range of functionalities provided by the Choreo extension, open the VS Code command palette and type Choreo.
To troubleshoot Choreo extension issues, follow these steps:
+To open the OUTPUT pane, go to the VS Code editor main menu, click View, and then click Output.
+Select Choreo from the drop-down menu on the right-hand side to view the Choreo output for troubleshooting.
+For assistance with the Choreo VS Code extension, create GitHub issues.
+ + + + + + +Choreo enables you to develop components by connecting your GitHub, Bitbucket, or GitLab repository. You have the flexibility to either connect an existing repository or start with an empty repository and commit the source code later. By integrating your repositories with Choreo, you can automate tasks and optimize workflows across multiple systems, all within the Choreo platform. Choreo currently supports GitHub, Bitbucket, and GitLab as Git providers.
+Tip
+Choreo supports both Bitbucket Server and Bitbucket Cloud. The currently supported Bitbucket Server version is 8.9.2.
+In Choreo, you can connect a Git repository that contains Ballerina source code or a Docker project. To connect a Git repository to Choreo as a Docker project, your Git repository must include the following:
+Once you connect your Git repository to Choreo, you can build, deploy, and manage your application easily.
+Authorizing Choreo as a GitHub application grants Choreo the following permissions to perform the respective actions on your behalf within the repository:
+| Permission | +Read | +Write | +Description | +
|---|---|---|---|
| Issues | +Y | +N | +Read component ID label to filter the pull requests | +
| Metadata | +Y | +N | +List repositories | +
| Contents | +Y | +Y | +List branches and create a branch to commit sample code | +
| Pull Request | +Y | +Y | +Create a pull request if you start with a Choreo sample | +
| Webhooks | +Y | +Y | +Trigger automatic deployment and configuration generation | +
Choreo provides Git submodule support when you connect your GitHub repository to Choreo. This allows you to manage and include external repositories effectively within Choreo build pipelines. Key benefits of this capability include:
+For example, when you work with the Micro Integrator (MI) runtime in Choreo, you can use Git submodules to reuse MI templates and sequences across components without duplication.
+Tip
+If you encounter an error stating that you cannot clone a submodule due to insufficient permissions, follow the instructions below to grant the necessary permissions:
+For a personal account:
+For an organization account:
+Under Repository Access, grant access to the necessary repositories.
+Note
+Choreo currently does not support accessing private repositories in other organizations.
+Authorizing using a personal access token (PAT) from Bitbucket grants Choreo the following permissions to perform the respective actions on your behalf within the repository.
+| Permission | +Read | +Write | +Description | +
|---|---|---|---|
| Account | +Y | +N | +Get user information and workspace details | +
| Repositories | +Y | +Y | +List branches and create a branch to commit sample code | +
| Pull Requests | +Y | +Y | +Create a pull request if you start with a Choreo sample | +
| Webhooks | +Y | +Y | +Trigger automatic deployment and configuration generation | +
Authorizing using a personal access token (PAT) obtained from your GitLab self-managed server grants Choreo the following permissions to perform the respective actions on your behalf within the repository.
+| Permission | +Description | +
|---|---|
| API | +Grants full read/write access to the API, covering all groups and projects, as well as read/write access to the repository. | +
This guide walks you through the steps to develop, deploy, test, and observe a manual task using Choreo.
+In this guide, you will:
+Before you try out the steps in this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.Fork the Choreo samples repository, which contains the sample integration for this guide.
+Repository file structure
+To work with the sample repository, it is important to familiarize yourself with the repository file structure. The sample code for this guide is in the <sample-repository-dir>/weather-to-email-integration directory. To understand how the functionality is implemented, you must read the code comments. The following table describes what you will find in each file in the repository:
| File path | +File content | +
|---|---|
| Ballerina.toml | +Contains metadata about the project | +
| Dependencies.toml | +Lists the dependencies required for the project | +
| main.bal | +Contains the entry point of the project, including the main function | +
| types.bal | +Contains custom data types used in the project | +
| utils.bal | +Contains utility functions and helper functions used in the project | +
Go to OpenWeatherMap and sign up to obtain an API key. For details on how to obtain an API key, see the OpenWeatherMap documentation.
+Enter a unique name and a description for the component. You can use the name and description given below:
+| Field | +Value | +
|---|---|
| Component Name | +WeatherToEmail |
+
| Description | +My first manual task |
+
Go to the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Enter the following information:
+| Field | +Description | +
|---|---|
| Organization | +Your GitHub account | +
| Repository | +choreo-samples |
+
| Branch | +main |
+
| Buildpack | +Ballerina | +
| Project Directory | +weather-to-email-integration |
+
Tip
+Buildpack specifies the type of build to run depending on the implementation of the component. It converts the integration code into a Docker image that can run on Choreo cloud. If an integration is developed using WSO2 Integration Studio, select Micro Integrator as the buildpack. If an integration is developed using the Ballerina language, select Ballerina as the buildpack.
+Project Directory specifies the location of the project to build the component.
+Click Create. Choreo initializes the component with the sample implementation and opens the Overview page of the component.
+To build the manual task, follow the steps given below:
+Select the latest commit and click Build. This triggers the build process and displays the build progress in the Build Logs pane.
+Info
+The build process can take a while to complete. When the build process is complete, the build will be listed in the Builds pane along with the build status.
+Here, you will see the build status as Success.
+To deploy the manual task, follow the steps given below:
+In the Configurations pane, specify values as follows for the configurable variables:
+Tip
+The configurable variables populated here are defined in the sample Ballerina project used in this guide. To learn how to declare configurable variables in Ballerina, see the Ballerina documentation on declaring configurable variables. If configurable variables are detected in a connected Ballerina project, Choreo prompts for the respective values during component deployment.
+| Field | +Value | +
|---|---|
| apiKey | +The API key you obtained in the prerequisites section | +
| latitude | +Latitude of the location to get the weather forecast | +
| longitude | +Longitude of the location to get the weather forecast | +
| The email address to receive the formatted weather forecast information | +
Note
+If you use Ballerina as the buildpack and you want to set a configurable variable as a secret, click the lock icon corresponding to the configurable variable. This marks it as a secret and conceals the input value.
+For example, if you consider the configurable variables in this guide and set the apiKey as a secret, its input value will be concealed as follows:
+
If you want to update the input value at a later time, you can click Update Secret Content and specify a new value.
+
Click Deploy.
+To execute the manual task, follow the steps given below:
+Click Run Now. This triggers the task.
+Inject dynamic values into your application as command-line arguments
+If you want to inject dynamic values into your application as command-line arguments when you run a manual task, follow the steps given below:
+The capability to run a manual task with arguments is supported for the following buildpacks:
+To explore a Dockerfile-based manual task with arguments, try out the Hello World Task sample. For instructions, see the readme.md file in the sample repository.
Info
+When you work on Docker projects, the Run with Arguments capability is not supported if the Dockerfile contains CMD. In such scenarios, you must use ENTRYPOINT to define your default commands.
To explore a Go-based manual task with arguments, try out the Hello World Go Task sample. For instructions, see the readme.md file in the sample repository.
To explore a Java-based manual task with arguments, try out the Hello World Java Task sample. For instructions, see the readme.md file in the sample repository.
Info
+When you work on Java projects:
+Procfile is available in the project.Main class should be defined in the manifest file.mvn.cmd exist in the project without the .mvn directory, the build will fail. To ensure a successful build, you must either commit the .mvn directory along with any Maven files or not include any Maven files in the project if you choose not to commit the .mvn directory.To explore a NodeJS-based manual task with arguments, try out the Hello World NodeJS Task sample. For instructions, see the readme.md file in the sample repository.
Info
+When you work on NodeJS projects:
+Procfile is available in the project.package.json file with the main attribute defined.To explore a WSO2 MI-based manual task with arguments, try out the Weather to Logs Task sample. For instructions, see the readme.md file in the sample repository.
Info
+When you work on WSO2 MI projects and you want to deploy a WSO2 MI integration as a manual task in Choroeo, you must use the WSO2 MI automation mode. For details, see Running the Micro Integrator in Automation Mode.
+To explore a Ballerina manual task with arguments, try out the Weather to Email Task sample. For instructions, see the README.md file in the sample repository.
+Info
+If you want to pass arguments to Ballerina main functions, you can use the Run with Arguments capability. For details on the arguments you can pass, see the Ballerina documentation. You can also override configurable values in the same manner. For more information, see Provide values to configurable variables.
+Once the task is triggered, an email with the subject [WSO2 Choreo Demo] Next 24H Weather Forecast is sent from choreo.demo@gmail.com to the email address specified as the email configurable variable value in Step 3.
If the manual task ran successfully, you should receive an email similar to the following to the email address you specified:
+
The observability view in Choreo displays graphs that depict details such as throughput, latency, diagnostic data, and logs to identify and troubleshoot anomalies in components you deploy.
+To visualize and monitor the performance of the manual task you deployed, click Observability in the left navigation menu. You can observe the following:
+To learn more about the observability details you can view via Choreo observability, see Observability Overview.
+To track and monitor executions associated with the deployed scheduled task, go to the left navigation menu and click Execute.
+Tip
+The Execute view is applicable to both scheduled and manual tasks.
+You can view the following information:
+The total number of executions within the past 30 days.
+
The currently active executions and those that are already complete.
+Here, you can view information such as the execution ID, the revision of the execution, and the time it was triggered.
+
Detailed execution logs for a specific execution.
+You can click on an execution to view detailed logs related to it.
+Info
+It may take a few minutes for the logs to appear. You may need to manually refresh to view the latest logs.
+
Choreo is a versatile integration platform that allows you to create various types of integrations depending on your requirement.
+If you have a requirement to automatically run a specific integration at regular intervals, you can use Choreo to develop a scheduled task. This type of integration can automate the synchronization of data between different systems at specified intervals, reducing errors and improving productivity by eliminating the need for manual intervention.
+This guide walks you through the steps to develop, deploy, test, and observe a scheduled task using Choreo.
+In this guide, you will:
+Before you try out the steps in this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.Fork the Choreo samples repository, which contains the sample integration for this guide.
+Repository file structure
+To work with the sample repository, it is important to familiarize yourself with the repository file structure. The sample code for this guide is in the <sample-repository-dir>/weather-to-email-scheduled-task directory. To understand how the functionality is implemented, you must read the code comments. The following table describes what you will find in each file in the repository:
| File path | +File content | +
|---|---|
| Ballerina.toml | +Contains metadata about the project | +
| Dependencies.toml | +Lists the dependencies required for the project | +
| main.bal | +Contains the entry point of the project, including the main function | +
| types.bal | +Contains custom data types used in the project | +
| utils.bal | +Contains utility functions and helper functions used in the project | +
Go to OpenWeatherMap and sign up to obtain an API key. For details on how to obtain an API key, see the OpenWeatherMap documentation.
+Enter a unique name and a description for the component. You can use the name and description given below:
+| Field | +Value | +
|---|---|
| Component Name | +WeatherToEmail |
+
| Description | +My first scheduled task |
+
Go to the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Enter the following information:
+| Field | +Description | +
|---|---|
| Organization | +Your GitHub account | +
| Repository | +choreo-samples |
+
| Branch | +main |
+
| Buildpack | +Ballerina | +
| Project Directory | +weather-to-email-scheduled-task |
+
Tip
Click Create. Choreo initializes the component with the sample implementation and opens the Overview page of the component.
+Now you can proceed to build and deploy the scheduled task.
+To build the scheduled task, follow the steps given below:
+Select the latest commit and click Build. This triggers the build process and displays the build progress in the Build Logs pane.
+Info
+The build process can take a while to complete. When the build process is complete, the build will be listed in the Builds pane along with the build status.
+Here, you will see the build status as Success.
+To deploy the scheduled task, follow the steps given below:
+In the Configurations pane, specify values as follows for the configurable variables:
+Tip
+The configurable variables populated here are defined in the sample Ballerina project used in this guide. To learn how to declare configurable variables in Ballerina, see the Ballerina documentation on declaring configurable variables. If configurable variables are detected in a connected Ballerina project, Choreo prompts for the respective values during component deployment.
+| Field | +Value | +
|---|---|
| apiKey | +The API key you obtained in the prerequisites section | +
| latitude | +Latitude of the location to get the weather forecast | +
| longitude | +Longitude of the location to get the weather forecast | +
| The email address to receive the formatted weather forecast information | +
Note
+If you use Ballerina as the buildpack and you want to set a configurable variable as a secret, click the lock icon corresponding to the configurable variable. This marks it as a secret and conceals the input value.
+For example, if you consider the configurable variables in this guide and set the apiKey as a secret, its input value will be concealed as follows:
+
If you want to update the input value at a later time, you can click Update Secret Content and specify a new value.
+
Click Next.
+In this step, you must define a schedule to run the task. In this guide, you set the schedule to receive the weather information daily at 8.00 AM UTC. Enter values as follows to configure the schedule:
+| Field | +Value | +
|---|---|
| Select Time Zone | +Select a time zone to schedule the task | +
| Select Range | +Day | +
| Every | +1 |
+
| At | +08:00 |
+
Tip
+When you develop a scheduled task, you can define a schedule depending on your requirement. If you want to test and verify the immediately, you can schedule the deployment to run in just a few minutes after you create it. However, to avoid unnecessary expenses, make sure you reschedule or stop the deployment once you test and verify.
+Click Deploy. This deploys the scheduled task to the development environment and indicates the Scheduled Status as Active in the Development card.
+You can test the scheduled task when it runs at the configured time.
+When the scheduled task runs at the configured time, an email with the subject [WSO2 Choreo Demo] Next 24H Weather Forecast is sent from choreo.demo@gmail.com to the email address specified as the email configurable variable value in Step 3.
If the scheduled task ran successfully, you should receive an email similar to the following to the email address you specified:
+
The observability view in Choreo displays graphs that depict details such as throughput, latency, diagnostic data, and logs to identify and troubleshoot anomalies in components you deploy.
+To visualize and monitor the performance of the scheduled task you deployed, click Observability in the left navigation menu. You can observe the following:
+To learn more about the observability details you can view via Choreo observability, see Observability Overview.
+To track and monitor executions associated with the deployed scheduled task, go to the left navigation menu and click Execute.
+Tip
+The Execute view is applicable to both scheduled and manual tasks.
+You can view the following information:
+The total number of executions within the past 30 days.
+
The currently active executions and those that are already complete.
+Here, you can view information such as the execution ID, the revision of the execution, and the time it was triggered.
+
Detailed execution logs for a specific execution.
+You can click on an execution to view detailed logs related to it.
+Info
+It may take a few minutes for the logs to appear. You may need to manually refresh to view the latest logs.
+
An Event Handler executes predefined actions in response to specific events. Choreo simplifies the process of creating and deploying such integrations.
+This guide walks you through the steps to create and deploy an Event Handler using WSO2 MI and Choreo.
+In this guide, you will build a simple event handler that monitors RabbitMQ for new messages and displays them once they become available.
+Before you try out the steps in this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.Use an existing RabbitMQ instance or start a new RabbitMQ instance on a server that can be accessed via the internet. Obtain the username, hostname, password, and vhost from the RabbitMQ instance to use later as environment variables.
Fork the Choreo samples repository, which contains the sample integration for this guide.
+Enter a unique name and a description for the component. You can use the name and description given below:
+| Field | +Value | +
|---|---|
| Component Name | +SalesOrderListener |
+
| Description | +RabbitMQ integration |
+
Go to the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Enter the following information:
+| Field | +Description | +
|---|---|
| Organization | +Your GitHub account | +
| Repository | +choreo-samples |
+
| Branch | +main |
+
| Buildpack | +WSO2 MI because you are creating the REST API from a WSO2 Integration Studio project | +
| Project Directory | +mi-rabbitmq-listener |
+
Tip
Click Create.
+To deploy the integration, follow the steps given below:
+In the Configurations pane, click + Add corresponding to Environment Variables and add the following environment variables:
+Tip
Use the values from your RabbitMQ instance as per the Prerequisites section, for the environment variables.
+ +| Name | +Value | +
|---|---|
| HOSTNAME | +Hostname of your RabbitMQ server | +
| VHOST | +Virtual hostname of your RabbitMQ server | +
| USERNAME | +Username for connecting to RabbitMQ | +
| PASSWORD | +Password associated with the RabbitMQ username | +
Click Deploy. This deploys the event handler to the development environment and indicates the Deployment Status as Active in the Development card.
+To test the integration, follow the steps given below:
+Now you have gained hands-on experience in creating, configuring, and deploying an event handler.
+ + + + + + +The seamless integration of APIs, microservices, applications, and data across different languages and formats requires the ability to expose integrations as APIs. Choreo simplifies building, deploying, and managing integration components, making it easy for you to quickly expose integrations as APIs.
+Note
+This guide walks you through the steps to expose an integration you created in WSO2 Integration Studio as an API in Choreo.
+In this guide, you will:
+Before you try out the steps in this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.Fork the Choreo samples repository, which contains the sample integration for this guide.
+Enter a unique name and a description for the component. You can enter the name and description given below:
+| Field | +Value | +
|---|---|
| Component Name | +Hello World |
+
| Description | +Hello World REST API |
+
Go to the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Enter the following information:
+| Field | +Description | +
|---|---|
| Organization | +Your GitHub account | +
| Repository | +choreo-samples |
+
| Branch | +main |
+
| Buildpack | +WSO2 MI because you are creating the REST API from a WSO2 Integration Studio project | +
| Project Directory | +hello-world-mi |
+
Click Create. Choreo initializes the component with the sample integration.
+To deploy the integration component to the development environment, follow the steps given below:
+Click Deploy. This deploys the integration component to the development environment. +The Development card indicates the Deployment Status as Active when the integration is successfully deployed.
+Tip
+Choreo uses endpoints to expose Service component to the network. You can read more about configuring endpoints in Configure Endoints.
+Tip
+Automatic deployment is enabled for the component by default. Therefore, you are required to perform only the first deployment manually.
+Now you can test the integration.
+To test the integration using the OpenAPI Console. Follow the steps given below:
+Go to the Response body section and observe the response returned by the integration. If the integration works as expected, you should see a response similar to the following:
+{"Hello" : "Integration"}
The observability view in Choreo displays graphs that depict details such as throughput, latency, diagnostic data, and logs to identify and troubleshoot anomalies in components you deploy.
+To visualize and monitor the performance of the integration component you deployed, click Observability in the left navigation menu. You can observe the following:
+To learn more about the observability details you can view via Choreo observability, see Observability Overview.
+To publish the integration component, follow the steps given below:
+To open the published API in the Developer Portal via the Lifecycle Management pane, click Go to Devportal. In the Choreo Developer Portal, you can view the published API, manage subscriptions for it, and generate access tokens for testing purposes.
+Now, you have gained hands-on experience in exposing an integration designed using WSO2 Integration Studio as a REST API in Choreo.
+ + + + + + +Choreo allows you to develop and deploy applications using your preferred programming language. This guide demonstrates how to deploy a service component that exposes a REST API using the Ballerina language. No prior knowledge of the Ballerina language is required to follow this guide.
+A REST API is a web service adhering to Representational State Transfer (REST) principles, using HTTP methods to access and manage resources. This guide walks you through building a Ballerina service component, deploying it on Choreo, and using it with an HTTP client application.
+In this guide, you will:
+Build a simple greeting service using a sample service implementation. The sample implementation will have a single resource named greet that accepts a single query parameter as input.
Request:
+$ curl GET http://localhost:9090/greeter/greet?name=Ballerina
Response:
+$ hello Ballerina!
Deploy the service in Choreo. The service will run on port 9090.
+Before you try out this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the sample greetings service implementation in Ballerina.
It is important to understand the purpose of the key files in the sample service. The following table provides a brief overview of each file in the greeter service:
+Note
+The specified file paths are relative to <sample-repository-dir>/greeting-service.
| Filepath | +Description | +
|---|---|
service.bal |
+The greetings service code written in the Ballerina language. | +
tests/service_test.bal |
+Test files related to the service.bal file. |
+
Ballerina.toml |
+The Ballerina configuration file. | +
Let's get started!
+To create a Ballerina service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Ballerina Greetings |
+
| Component Name | +ballerina-greetings |
+
| Description | +Send greetings | +
Go to the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| Repository | +choreo-samples | +
| Branch | +main |
+
Select Ballerina as the buildpack.
+/greeting-service.You have successfully created a service that exposes a REST API written in the Ballerina language. Next, let's build and deploy the service.
+Now that you have connected the source repository and configured the endpoint details, it's time to build and deploy the service.
+Note
+If you are rebuilding the Ballerina service component after changing the Ballerina version, ensure that before building the code, the version of the Ballerina distribution mentioned in the Ballerina.toml file matches the distribution version specified in the Dependencies.toml file.
To build the service, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+To build and deploy the service, follow the steps below:
+Once you have successfully deployed your service, you can test, manage, and observe it like any other component type in Choreo.
+For detailed instructions, see the following sections:
+ +If you want to view Kubernetes-level insights to perform a more detailed diagnosis of this Ballerina REST API, see Choreo's DevOps capabilities.
+ + + + + + +Choreo is a platform that allows you to create and deploy applications in any language.
+In this guide, you will:
+greet that accepts a single query parameter as input.If you want to create a service component that exposes a Ballerina service, see Develop a Ballerina Service .
+Before you try out this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the sample greetings service implementation with the Dockerfile.
+It is important to understand the purpose of the key files in the sample service. The following table provides a brief overview of each file in the greeter service:
+Note
+The specified file paths are relative to <sample-repository-dir>/greeting-service-go
| Filepath | +Description | +
|---|---|
main.go |
+The Go-based greeter service code. | +
Dockerfile |
+The Dockerfile to build the container image of the application. | +
.choreo/component.yaml |
+Choreo-specific configuration that provides information about how Choreo exposes the service. | +
openapi.yaml |
+The OpenAPI contract of the greeter service. This is required to publish the service as a managed API. This openapi.yaml file is referenced by the .choreo/component.yaml file. |
+
Let's get started!
+In Choreo, you can expose your services via endpoints.
+You are going to run the greeter service on port 9090. To securely expose the service through Choreo, you must provide the port and other required information to Choreo. For detailed information on each attribute of an endpoint, see Configure Endpoints.
+To configure the endpoint details of a containerized component, Choreo looks for an component.yaml file inside the .choreo directory. Be sure to place the .choreo directory at the root of the Docker build context path.
In the greeter sample, the component.yaml file is in the greeting-service-go/.choreo/ directory.
To create a containerized service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Greetings |
+
| Component Name | +greetings |
+
| Description | +Send greetings | +
Go to the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| Repository | +choreo-samples | +
| Branch | +main |
+
Select Docker as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Docker Context | +/greeting-service-go |
+
| Dockerfile | +/greeting-service-go/Dockerfile |
+
Info
+To successfully build your container with Choreo, it is essential to explicitly define a user ID (UID) under the USER instruction in your Dockerfile. For reference, see sample Dockerfile. +To ensure that the defined USER instruction is valid, it must conform to the following conditions:
+10001 or 10500.my-custom-user-12221 or my-custom-user are invalid User IDs.The Dockerfile used in this guide is a multi-stage Dockerfile, which is designed to keep the final image size small and provides the ability to build the application with a specific version of tools and libraries.
+Click Create. This creates the component and takes you to the Overview page of the component.
+You have successfully created a service from a Dockerfile. Next, you can build and deploy the service.
+Now that we have connected the source repository, and configured the endpoint details, it's time to build the service and create an image. Then we can deploy that image test the greeter service.
+To build the service, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+You can access the following scans under Build.
+Container (Trivy) vulnerability scan: The details of the vulnerabilities open in a separate pane. If this scan detects critical vulnerabilities, the build will fail.
+Info
+If you have Choreo environments on a private data plane, you can ignore these vulnerabilities and proceed with the deployment.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+Once you have successfully deployed the service, you can test, manage, and observe it like any other component type in Choreo.
+To perform a more detailed diagnosis of this Dockerfile-based REST API by viewing Kubernetes-level insights, see Choreo's DevOps capabilities.
+ + + + + + +Choreo allows you to create and deploy applications in your preferred programming language.
+In this guide, you will:
+greet that accepts a single query parameter as input.Go buildpack. The service will run on port 9090.Before you try out this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the sample greetings service implementation in Go.
It is important to understand the purpose of the key files in the sample service. The following table provides a brief overview of each file in the greeter service:
+Note
+The specified file paths are relative to <sample-repository-dir>/greeting-service-go
| Filepath | +Description | +
|---|---|
main.go |
+The Go-based greeter service code. | +
.choreo/component.yaml |
+Choreo-specific configuration that provides information about how Choreo exposes the service. | +
openapi.yaml |
+The OpenAPI contract of the greeter service. This is required to publish the service as a managed API. This openapi.yaml file is referenced by the .choreo/component.yaml file. |
+
Let's get started!
+In Choreo, you can expose your services via endpoints.
+You are going to run the greeter service on port 9090. To securely expose the service through Choreo, you must provide the port and other required information to Choreo. For detailed information on each attribute of an endpoint, see Configure Endpoints.
+To configure the endpoint details of a containerized component, Choreo looks for an component.yaml file inside the .choreo directory. Be sure to place the .choreo directory at the root of the Docker build context path.
In the greeter sample, the component.yaml file is in the greeting-service-go/.choreo/ directory.
To create a containerized service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Greetings |
+
| Component Name | +greetings |
+
| Description | +Send greetings | +
Go to the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples | +
| Branch | +main |
+
Select Go as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Go Project Directory | +/greeting-service-go |
+
| Language Version | +1.x | +
Click Create. This creates the component and lists it under Component Listing on the project home page.
+You have successfully created the service. The next step is to build and deploy it.
+Now that you have connected the source repository and configured the endpoint details, it's time to build and deploy the greeter service.
+To build the service, follow these steps:
+Greetings component you created. This takes you to the component overview page.On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+Once you have successfully deployed the service, you can test, manage, and observe it like any other component type in Choreo.
+ + + + + + +Choreo offers the flexibility to develop and deploy applications in a language of your preference. This guide shows you how to deploy a service component that exposes a GraphQL API using the Ballerina language in Choreo. No prior knowledge of the Ballerina language is required to follow this guide.
+GraphQL API is a query language and runtime that provides a single endpoint for retrieving flexible and efficient data in a strongly-typed and self-documenting way. By following this guide, you will build a service component in Ballerina and deploy it on Choreo for any GraphQL client application to utilize it.
+This guide shows how to build a simple reading list service and deploy it in Choreo using Ballerina. The GraphQL endpoint you create in this guide has two operations: Query and Mutation. The Query type operations read the data in the data source, and the Mutation operations update the data in the data source. The reading list service has two queries and three mutations as follows:
+Retrieve the reading list
+This resource accepts an optional filter, status, which filters the reading list by reading status. Accepted values for status are reading, read, and to_read.
Sample request: +
$ curl -X POST -H "Content-Type: application/json" -d '{"query": "query {allBooks (status: \"reading\") { id title author status }}"}' http://localhost:8090
+Sample response +
$ {
+ "data": {
+ "allBooks": [
+ {
+ "id": 1,
+ "title": "Sample Book",
+ "author": "Test Author",
+ "status": "to_read"
+ }
+ ]
+ }
+}
+Retrieve a book item from the reading list
+This resource accepts a filter, id, which will select the book item from the reading list by book id. The id is an Integer value.
Sample request +
$ curl -X POST -H "Content-Type: application/json" -d '{"query": "query {book (id: 1) { id title author status }}"}' http://localhost:8090
+Sample response +
$ {
+ "data": {
+ "book": {
+ "id": 1,
+ "title": "Sample Book",
+ "author": "Test Author",
+ "status": "to_read"
+ }
+ }
+}
+Add a book item to the reading list
+This remote function accepts a book record as the input and consists of the title and the author. When you add a new book to the reading list, the method updates the reading status of the newly added book to to_read. This method returns the added book item upon successful execution.
Sample request
+$ curl -X POST -H "Content-type: application/json" -d '{ "query": "mutation { addBook(book: {title: \"Sample Book\", author: \"Test Author\"}) { id title author status } }" }' 'http://localhost:8090'
+Sample response
+$ {
+ "data": {
+ "addBook": {
+ "id": 1,
+ "title": "Sample Book",
+ "author": "Test Author",
+ "status": "to_read"
+ }
+ }
+}
+Update the reading status of a book
+This remote function requires id and status as inputs to update the reading status of the selected book. The id refers to the id of the book. It is an integer. The status refers to the reading status that needs to be updated. This method returns the updated book item upon successful execution.
Sample request
+$ curl -X POST -H "Content-type: application/json" -d '{ "query": "mutation { setStatus(id: 1, status: \"reading\") { id title author status } }" }' 'http://localhost:8090'
+Sample response
+$ {
+ "data": {
+ "setStatus": {
+ "id": 1,
+ "title": "Sample Book",
+ "author": "Test Author",
+ "status": "reading"
+ }
+ }
+}
+Delete a book item from the reading list
+This remote function requires the id as the input to delete the book item from the reading list. This method returns the removed book item upon successful execution.
Sample request
+$ curl -X POST -H "Content-type: application/json" -d '{ "query": "mutation { deleteBook(id: 1) { id title author status } }" }' 'http://localhost:8090'
+Sample response +
$ {
+ "data": {
+ "deleteBook": {
+ "id": 1,
+ "title": "Sample Book",
+ "author": "Test Author",
+ "status": "reading"
+ }
+ }
+}
+Our next step is to set up the resources that you will require to follow the guide, including the sample reading list application and the Choreo GitHub app.
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the sample GraphQL service implementation for this guide.
+Let's get started!
+It is important to understand the purpose of the key files in the sample service. The following table provides a brief overview of each file in the reading list service.
+Note
+The following file paths are relative to the path <sample-repository-dir>/reading-list-graphql.
| Filepath | +Description | +
|---|---|
service.bal |
+The reading list service code written in the Ballerina language. | +
Ballerina.toml |
+The Ballerina configuration file. | +
.choreo/component.yaml |
+The configuration file with endpoint details. | +
To create a Ballerina service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Ballerina Reading List |
+
| Component Name | +ballerina-reading-list |
+
| Description | +Manage a reading list | +
Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select Ballerina as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Ballerina Project Directory | +reading-list-graphql |
+
Click Create. This creates the component and takes you to the Overview page of the component.
+You have successfully created a service component that exposes a GraphQL API written in the Ballerina language. Next, let's build and deploy the service.
+Now that we have connected the source repository, it's time to build and deploy the reading list service.
+To build the service, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+To build and deploy the service, follow the steps below:
+Once you have successfully deployed your service, you can test, manage, and observe it like any other component type in Choreo.
+For detailed instructions, see the following sections:
+ + + + + + + +Choreo allows you to create and deploy applications in your preferred programming language. One powerful option is gRPC, a high-performance and language-agnostic remote procedure call (RPC) framework. It utilizes Protocol Buffers to define services and generate client/server code.
+In this guide, you will learn to use Choreo to create a service component that exposes a gRPC server implemented in Go, enabling efficient and scalable communication with any gRPC client application. No prior knowledge of the Go language is necessary to follow this guide.
+By following this guide, you will:
+Link the containerized gRPC service to the Choreo component using the Dockerfile.
+ The greeter service has a single RPC method named sayHello. Following is the proto file the server and the client application are using:
Deploy the gRPC server component in Choreo.
+Before you try out this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the sample service implementation for this guide.
+Let's get started!
+It is important to understand the purpose of the key files in the sample service. The following table provides a brief overview of each file in the greeter service.
+Note
+The following file paths are relative to the path <sample-repository-dir>/go-grpc.
| File Path | +Description | +
|---|---|
main.go |
+The greeter service code written in the Go language. | +
greeter_client/main.go |
+The greeter client application written in the Go language. | +
Dockerfile.server |
+The Dockerfile to build the container image of the server application. | +
Dockerfile.client |
+The Dockerfile to build the container image of the client application. | +
.choreo/component.yaml |
+The Choreo-specific configuration that provides information about how Choreo exposes the service. | +
pkg/greeter.proto |
+The interface definition of the gRPC service. This is used to generate the server and client stubs for the Go application. | +
In Choreo, you can expose your services via endpoints.
+Let's run the gRPC server service component on port 8080. To securely expose the service through Choreo, you must provide the port and other required information to Choreo. For detailed information on each attribute of an endpoint, see Configure Endpoints.
+Choreo looks for an component.yaml file inside the .choreo directory to configure the endpoint details of the containerized component. Ensure the .choreo directory is at the root of the Docker build context path.
In the gRPC server sample, the component.yaml file is at go-grpc/.choreo/component.yaml, where the build context path is go-grpc.
To create a containerized service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Go gRPC Server |
+
| Component Name | +go-grpc-server |
+
| Description | +Send greetings | +
Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select Docker as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Docker Context | +go-grpc |
+
| Dockerfile | +go-grpc/Dockerfile.server |
+
Info
+To successfully build your container with Choreo, it is essential to explicitly define a User ID (UID) under the USER instruction in your Dockerfile. For reference, see the sample Dockerfile. +To ensure that the defined USER instruction is valid, it must conform to the following conditions:
+10001 or 10500.my-custom-user-12221 or my-custom-user are invalid User IDs.The Dockerfile utilized in this guide is a multi-stage Dockerfile, which is designed to keep the final image size small and provides the ability to build the application with a specific version of tools and libraries.
+Click Create. This creates the component and takes you to the Overview page of the component.
+You have successfully created a service from a Dockerfile. Next, you can build and deploy the service.
+Now that you have connected the source repository, and configured the endpoint details, it's time to build the service and create an image. Then you can deploy the image and test the greeter service.
+To build the service, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+You can access the following scans under Build.
+Container (Trivy) vulnerability scan: The details of the vulnerabilities open in a separate pane. If this scan detects critical vulnerabilities, the build will fail.
+Info
+If you have Choreo environments on a private data plane, you can ignore these vulnerabilities and proceed with the deployment.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+Once you have successfully deployed your service, navigate to the component overview page and copy the gRPC service URL. You need to provide that URL when setting up the client application later in this guide.
+You have successfully deployed the gRPC server. Currently, the gRPC service is only accessible by the components deployed within the same project.
+Let's invoke the gRPC service that you created above, using a gRPC client.
+To create a manual task component, follow these steps:
+Enter a display name, a unique name, and a description for the component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Go gRPC Client |
+
| Component Name | +go-grpc-client |
+
| Description | +Receive greetings |
+
Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select Docker as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Docker Context | +go/grpc |
+
| Dockerfile | +go/grpc/Dockerfile.client |
+
Click Create. This creates the component and takes you to the Overview page of the component.
+To build the component, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+The client application, in this case, the gRPC client, requires the server URL of the gRPC server service. This is read from the client application as an environment variable. Follow the steps below to configure the environment variable for the client application:
+Specify the following name and value to configure the environment variable for the client application:
+| Field | +Value | +
|---|---|
| Name | +GREETER_SERVICE |
+
| Value | +Paste the URL value copied after deploying the gRPC service via step 2.2 above. Make sure to drop the http:// or grpc:// part and the trailing / from the URL when copying. For example, if the URL is http://go-grpc-server-3192360657:8080/, add only go-grpc-server-3192360657:8080. |
+
Click Add and then click Next.
+To execute the gRPC client, follow these steps:
+For details on what you can monitor via the execute page, see Monitor executions.
+ + + + + + +Choreo supports deploying Prism-based mock servers using OpenAPI specifications. With the Choreo Prism mock service component, you can serve multiple mock servers, each based on a different OpenAPI specification, as separate endpoints.
+By default, these mock servers serve static content generated from the examples in the configured OpenAPI Specification (OAS).
+Before you try out this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the Prism mock service artifacts for this guide.
+To create a Prism mock service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component.
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select Prism Mock as the buildpack.
+prism-mock-service as the Project Directory.Now that you have successfully created the Prism mock service, it's time to build and deploy it.
+To build the service, follow these steps:
+On the Build page, click Build Latest. This builds the service from the latest commit.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+Once you have successfully deployed the service, you can test, manage, and observe it like any other component type in Choreo.
+The Prism mock service can serve dynamic content according to the schema definitions in the OpenAPI specification. To use the Prism mock service with dynamic content, clients must add the prefer:dynamic=true header in the request.
To generate meaningful dynamic responses, you can use the x-faker attribute in schema definitions of the OpenAPI specification. For more information on dynamically generated responses with the x-faker attribute, see the Prism documentation.
Choreo offers the flexibility to design and deploy applications in the programming language of your choice. One viable choice for specific network communication needs is TCP (Transmission Control Protocol). TCP provides a reliable, stream-oriented communication mechanism that ensures data integrity and orderliness during transmission. It's the go-to option for scenarios where guaranteed data delivery and error recovery are paramount.
+In this guide, you will learn to use Choreo to create a service component that exposes a TCP server implemented in Go, enabling efficient and scalable communication with any TCP client application. No prior knowledge of the Go language is necessary to follow this guide.
+By following this guide, you will:
+Before you try out this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the sample service implementation for this guide.
+Let's get started!
+It is important to understand the purpose of the key files in the sample service. The following table provides a brief overview of each file in the sample service.
+Note
+The following file paths are relative to the path <sample-repository-dir>/docker-tcp-service.
| File Path | +Description | +
|---|---|
server/main.go |
+The greeter service code written in the Go language. | +
client/main.go |
+The greeter client application written in the Go language. | +
Dockerfile.server |
+The Dockerfile to build the container image of the server application. | +
Dockerfile.client |
+The Dockerfile to build the container image of the client application. | +
.choreo/component.yaml |
+The Choreo-specific configuration provides information about how Choreo exposes the service. | +
In Choreo, you can expose your services via endpoints.
+Let's run the TCP server service component on port 5050. To securely expose the service through Choreo, you must provide the port and other required information to Choreo. For detailed information on each attribute of an endpoint, see Configure Endpoints.
+Choreo looks for an component.yaml file inside the .choreo directory to configure the endpoint details of a containerized component. Place the .choreo directory at the root of the Docker build context path.
In our TCP server sample, the component.yaml file is at docker-tcp-service/.choreo/component.yaml, where the build context path is docker-tcp-service.
To create a containerized service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Go TCP Server |
+
| Component Name | +go-tcp-server |
+
| Description | +Send greetings | +
Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select Docker as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Docker Context | +docker-tcp-service |
+
| Dockerfile | +docker-tcp-service/Dockerfile.server |
+
Info
+To successfully build your container with Choreo, it is essential to explicitly define a User ID (UID) under the USER instruction in your Dockerfile. For reference, see the sample Dockerfile. +To ensure that the defined USER instruction is valid, it must conform to the following conditions:
+10001 or 10500.my-custom-user-12221 or my-custom-user are invalid User IDs.The Dockerfile utilized in this guide is a multi-stage Dockerfile, which is designed to keep the final image size small and provides the ability to build the application with a specific version of tools and libraries.
+Click Create. This creates the component and takes you to the Overview page of the component.
+You have successfully created a service from a Dockerfile. Next, you can build and deploy the service.
+Now that you have connected the source repository, and configured the endpoint details, it's time to build the service and create an image. Then you can deploy the image and test the service.
+To build the service, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+You can access the following scans under Build.
+Container (Trivy) vulnerability scan: The details of the vulnerabilities open in a separate pane. If this scan detects critical vulnerabilities, the build will fail.
+Info
+If you have Choreo environments on a private data plane, you can ignore these vulnerabilities and proceed with the deployment.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+Once you have successfully deployed your service, navigate to the component overview page and copy the TCP service address. You need to provide that address when setting up the client application later in this guide.
+You have successfully deployed the TCP server. Currently, the TCP service is only accessible by the components deployed within the same project.
+Now let's use a TCP client to invoke the TCP service that you created above. To do this, you can create a manual trigger component as the TCP client. This is the recommended approach because, in this example, it's more efficient to have a client that connects to the server, sends a request, and then stops. Here, a continuously executing task isn't required. Furthermore, if you use a manual trigger component, you won't need to expose an endpoint in the client for invocation, unlike with an API.
+To create a manual task component, follow these steps:
+Enter a display name, a unique name, and a description for the component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Go TCP Client |
+
| Component Name | +go-tcp-client |
+
| Description | +Receive greetings |
+
Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select Docker as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Docker Context | +docker-tcp-service |
+
| Dockerfile | +docker-tcp-service/Dockerfile.client |
+
Click Create. This creates the component and takes you to the Overview page of the component.
+To build the component, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+The client application, in this case, the TCP client, requires the server URL of the TCP server service. This is read from the client application as an environment variable. Follow the steps below to configure the environment variable for the client application:
+Specify the following name and value to configure the environment variable for the client application:
+| Field | +Value | +
|---|---|
| Name | +SERVER_ADDRESS |
+
| Value | +Paste the URL value copied after deploying the TCP service via step 2.2 above. Make sure to drop the tcp:// part and the trailing / from the URL when copying. For example, add only go-tcp-server-1097922445:8080. |
+
Click Add and then click Next.
+To execute the TCP client, follow these steps:
+For details on what you can monitor via the execute page, see Monitor executions.
+ + + + + + +Choreo offers the flexibility to design and deploy applications in the programming language of your choice. One compelling choice for certain network communication needs is UDP (User Datagram Protocol). UDP is a high-speed, connectionless protocol ideal for scenarios where lightweight, real-time data transmission is essential.
+In this guide, you will learn to use Choreo to create a Service component that exposes a UDP server implemented in Go, enabling efficient and scalable communication with any UDP client application. No prior knowledge of the Go language is necessary to follow this guide.
+By following this guide, you will:
+Before you try out this guide, complete the following:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the sample service implementation for this guide.
+Let's get started!
+It is important to understand the purpose of the key files in the sample service. The following table provides a brief overview of each file in the sample service.
+Note
+The following file paths are relative to the path <sample-repository-dir>/docker-udp-service.
| File Path | +Description | +
|---|---|
server/main.go |
+The greeter service code written in the Go language. | +
client/main.go |
+The greeter client application written in the Go language. | +
Dockerfile.server |
+The Dockerfile to build the container image of the server application. | +
Dockerfile.client |
+The Dockerfile to build the container image of the client application. | +
.choreo/component.yaml |
+The Choreo-specific configuration provides information about how Choreo exposes the service. | +
In Choreo, you can expose your services via endpoints.
+Let's run the UDP server service component on port 5050. To securely expose the service through Choreo, you must provide the port and other required information to Choreo. For detailed information on each attribute of an endpoint, see Configure Endpoints.
+Choreo looks for an component.yaml file inside the .choreo directory to configure the endpoint details of a containerized component. Place the .choreo directory at the root of the Docker build context path.
In our gRPC server sample, the component.yaml file is at docker-udp-service/.choreo/component.yaml, where the build context path is docker-udp-service.
To create a containerized service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Go UDP Server |
+
| Component Name | +go-udp-server |
+
| Description | +Send greetings | +
Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select Docker as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Docker Context | +docker-udp-service |
+
| Dockerfile | +docker-udp-service/Dockerfile.server |
+
Info
+To successfully build your container with Choreo, it is essential to explicitly define a User ID (UID) under the USER instruction in your Dockerfile. For reference, see the sample Dockerfile. +To ensure that the defined USER instruction is valid, it must conform to the following conditions:
+10001 or 10500.my-custom-user-12221 or my-custom-user are invalid User IDs.The Dockerfile utilized in this guide is a multi-stage Dockerfile, which is designed to keep the final image size small and provides the ability to build the application with a specific version of tools and libraries.
+Click Create. This creates the component and takes you to the Overview page of the component.
+You have successfully created a service from a Dockerfile. Next, you can build and deploy the service.
+Now that you have connected the source repository, and configured the endpoint details, it's time to build the service and create an image. Then you can deploy the image and test the service.
+To build the service, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+You can access the following scans under Build.
+Container (Trivy) vulnerability scan: The details of the vulnerabilities open in a separate pane. If this scan detects critical vulnerabilities, the build will fail.
+Info
+If you have Choreo environments on a private data plane, you can ignore these vulnerabilities and proceed with the deployment.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+Once you have successfully deployed your service, navigate to the component overview page and copy the UDP service address. You must provide that address when setting up the client application later in this guide.
+You have successfully deployed the UDP server. Currently, the UDP service is only accessible by the components deployed within the same project.
+Now let's use a UDP client to invoke the UDP service that you created above. To do this, you can create a manual trigger component as the UDP client. This is the recommended approach because, in this example, it's more efficient to have a client that connects to the server, sends a request, and then stops. Here, a continuously executing task isn't required. Furthermore, if you use a manual trigger component, you won't need to expose an endpoint in the client for invocation, unlike with an API.
+To create a manual task component, follow these steps:
+Enter a display name, a unique name, and a description for the component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +Go UDP Client |
+
| Component Name | +go-udp-client |
+
| Description | +Receive greetings |
+
Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select Docker as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| Docker Context | +docker-udp-service |
+
| Dockerfile | +docker-udp-service/Dockerfile.client |
+
Click Create. This creates the component and takes you to the Overview page of the component.
+To build the component, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+The client application, in this case, the UDP client, requires the server URL of the UDP server service. This is read from the client application as an environment variable. Follow the steps below to configure the environment variable for the client application:
+Specify the following name and value to configure the environment variable for the client application:
+| Field | +Value | +
|---|---|
| Name | +SERVER_ADDRESS |
+
| Value | +Paste the URL value copied after deploying the UDP service via step 2.2 above. Make sure to drop the udp:// part and the trailing / from the URL when copying. For example, add only go-udp-server-1097922445:8080. |
+
Click Add and then click Next.
+To execute the UDP client, follow these steps:
+For details on what you can monitor via the execute page, see Monitor executions.
+ + + + + + +Choreo allows you to create and deploy applications in your preferred programming language, offering a seamless platform for building dynamic and scalable solutions. This guide walks you through the steps to deploy a WebSocket service using the NodeJS buildpack.
+WebSockets provide real-time, two-way communication between a client and server over a persistent TCP connection. This makes WebSocket APIs ideal for applications that require real-time updates.
+In this guide, you will:
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the Project Home page of the default project created for you.
+Fork the Choreo samples repository, which contains the sample WebSocket service implementation for this guide.
+Let's get started!
+It is important to understand the purpose of the key files in the sample service. The following table provides a brief overview of each file in the NodeJS chat Application.
+Note
+The following file paths are relative to the path <sample-repository-dir>/websocket-chat-app/websocket-chat-service-nodejs.
| Filepath | +Description | +
|---|---|
server.js |
+The NodeJS chat service. | +
.choreo/component-config.yaml |
+The configuration file with endpoint details. | +
To create a NodeJS service component, follow these steps:
+Enter a display name, a unique name, and a description for the service component. You can enter the values given below:
+Info
+In the Component Name field, you must specify a name to uniquely identify the component in various contexts. The value is editable only at the time you create the component. You cannot change the name after you create the component.
+| Field | +Value | +
|---|---|
| Component Display Name | +NodeJS Chat Service |
+
| Component Name | +nodejs-chat-service |
+
| Description | +Manage a chat service | +
Click the GitHub tab.
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Under Connect Your Repository, enter the following information:
+| Field | +Value | +
|---|---|
| Organization | +Your GitHub account | +
| GitHub Repository | +choreo-samples |
+
| Branch | +main |
+
Select NodeJS as the buildpack.
+Enter the following information:
+| Field | +Value | +
|---|---|
| NodeJS Project Directory | +websocket-chat-app/websocket-chat-service-nodejs |
+
Click Create. This creates the component and takes you to the Overview page of the component.
+You have successfully created a service component that provides a WebSocket API built with NodeJS. The next step is to proceed with building and deploying the service.
+Now that you have connected the source repository, it's time to build and deploy the chat service.
+To build the service, follow these steps:
+On the Build page, click Build Latest.
+Note
+Building the service component may take a while. You can track the progress via the logs in the Build Details pane. Once the build process is complete, the build status changes to Success.
+To deploy the service, follow these steps:
+Review the Endpoint Details and click Deploy.
+Note
+Deploying the service component may take a while. Once deployed, the Development environment card indicates the Deployment Status as Active.
+Once you have successfully deployed your service, you can test, manage, and observe it like any other component type in Choreo.
+During testing, once the WebSocket connection is established, you can send {"type": "Connect", "username": "user1"} to the WebSocket endpoint to connect to the chat service. You can then send chat messages by using {"type": "Data", "message": "Hello, World!"}.
+Note
+Some clients, such as certain browsers, may not support adding headers to the WebSocket handshake. In these cases, you can include the access token or Test key required for WebSocket API invocation within the sec-websocket-protocol header, along with any specified subprotocols.
For example: sec-websocket-protocol: choreo-oauth2-token, {access token}, subprotocols
If you are using a Test Key, replace choreo-oauth2-token with choreo-test-key.
Explore how to create, deploy, manage, and observe service components in Choreo.
+A service component in Choreo lets you deploy and expose REST, GraphQL, gRPC, UDP, WS or TCP services. It is a fundamental building block for creating cloud-native applications in Choreo. They provide a simple and effective way to expose functionality as a service to other components within Choreo or to the outside world.
+Service components encapsulate business logic and provide standardized interfaces, called endpoints, for communicating with other components or systems. You can deploy and scale services independently, which makes them highly flexible and adaptable to changing workloads.
+With the help of the service component, developers can quickly create APIs and microservices, making it easier to implement and manage complex software systems. Service components can also be integrated with other Choreo components, that acts as message processors, connectors, and data sources, etc to create powerful end-to-end solutions.
+You can expose a service to other components through endpoints. For details on configuring endpoints, see Configure Endpoints.
+ + + + + + +A web application is an application program hosted on a server and serves ingress traffic through a browser. In Choreo, you can deploy a web application by creating a Web Application component and connecting it to a Git repository that contains the implementation of the web application. Web applications can fall into one of the following categories:
+You can create a web application in Choreo as follows:
+Build and deploy a SPA from the source code.
+package.json engine property. The required Node version must be explicitly set in the build configuration.Once you create the Web Application component, Choreo automatically generates a build pipeline for your single-page application and deploys it.
+Bring your Dockerfile.
+This approach is recommended if you are deploying a web server and not just a single-page application (or a single-page application with a complex build process).
+Host static websites.
+Now let's take a look at how you can build and deploy a SPA from source code:
+Follow the steps below to create a sample Web Application component and deploy it in Choreo:
+To allow Choreo to connect to your GitHub account, click Authorize with GitHub. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials and select the repository you created in the prerequisites section to install the Choreo GitHub App.
+Alternatively, you can paste the Choreo samples repository URL in the Provide Repository URL field to connect to it without requiring authorization from the Choreo Apps GitHub application. However, authorizing the repository with the Choreo GitHub App is necessary if you want to enable Auto Deploy for the component.
+Note
+The Choreo GitHub App requires the following permissions:
+You can revoke access if you do not want Choreo to have access to your GitHub account. However, write access is exclusively utilized for sending pull requests to a user repository. Choreo will not directly push any changes to a repository.
+Enter the following information:
+| Field | +Description | +
|---|---|
| GitHub Account | +Your account | +
| GitHub Repository | +choreo-samples | +
| Branch | +main | +
Select React as the Buildpack.
+Enter the following information:
+| Field | +Description | +
|---|---|
| Project Directory | +/react-single-page-app | +
| Build Command | +npm run build |
+
| Build Path | +build |
+
| Node Version | +18 |
+
Tip
+Managed authentication is enabled by default when you create a web application using React, Angular, or Vue.js buildpacks. To learn how to set up authentication for your web application with Choreo's managed authentication, see Secure Web Applications with Managed Authentication.
+Click Create. Choreo initializes the component with the sample implementation and opens the Overview page of the component.
+You have successfully created a Web Application component from the source code. Now let's build and deploy the web application.
+To build the web application, follow the steps given below:
+Select the latest commit and click Build. This triggers the build process and displays the progress in the Build Logs pane.
+You can access the following scans in the Build Logs pane:
+Info
+If you have Choreo environments on a private data plane, you can ignore these vulnerabilities and proceed with the deployment.
+Note
+The build process can take a while to complete. When the build process is complete, the build will be listed in the Builds pane along with its status.
+Here, you will see the build status as Success.
+Keep the default settings and click Deploy.
+Note
+To verify that you have successfully hosted the web application, click the Web App URL in the Development card. This takes you to the web application.
+Info
+This feature is only available on the Choreo cloud data plane.
+When you promote your component to the Production environment, you have the option to create a personalized short URL for your web application. The URL follows the https://{your-short-prefix}.choreoapps.dev structure, where you can select a name of your preference for {your-short-prefix}.
To create a short URL for your web application, follow the steps given below:
+Specify a Short URL prefix of your choice and click Save.
+Note
+Short URL names/prefixes are subject to availability, provided on a first-come-first-serve basis.
+For web applications with a backend server, Choreo allows you to mount runtime configurations and secrets as environment variables and/or file mounts for a specific environment. Alternatively, you can also inject them into the client application during server-side rendering or when serving static content.
+However, in the case of SPAs that run completely on the browser, Choreo does not support baking-in environment variables or other configurations. This is because Choreo follows a multi-environment deployment model, where configuration should be kept separate from the build and injected at runtime. For example, in most React SPA frameworks, the process.env stub is available during build time. However, it does not actually read in variables from the runtime. Instead, it is baked into the final JavaScript output during the build process.
To manage runtime configurations, Choreo recommends the following approach (although this is a React example, the approach is generally applicable to other SPA frameworks as well).
+Note
+Follow the steps given below to manage runtime configurations for the React application you created above:
+Create and commit a new file named config.js in the public directory of your React application. This file should contain the runtime configuration variables you want to expose to your application, such as API endpoints or feature flags. Let's expose the API URL and a feature flag as follows:
window.config = {
+apiUrl: 'https://api.example.com',
+ featureFlags: {
+ enableNewFeature: true,
+ enableExperimentalFeature: false,
+ },
+};
+index.html file inside the public directory, add a script tag as follows to include the config.js file inside the tag. The config.js file will be accessible via JavaScript at runtime.
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="utf-8" />
+ <title>My React App</title>
+</head>
+<body>
+ <div id="root"></div>
+ <script src="%PUBLIC_URL%/config.js"></script>
+</body>
+</html>
+window.config object available to your app at runtime.
+In your React component, you can access the configuration variables by referencing the window.config object as follows:
When you deploy your component to Choreo, create a config file mount in the specified path for each environment (where your index.html expects the config.js file as in this example).
+https://wso2.com/choreo/docs/devops-and-ci-cd/manage-configurations-and-secrets/#apply-a-file-mount-to-your-container.
The following limitations are specific to the Choreo cloud data plane:
+I’m seeing a blank page or a 502 error after I deploy my web application
+If you encounter a blank page or a 502 error after deploying your web application, it typically indicates that the wrong directory is being served. To resolve this issue, follow these steps:
+public/ as the output directory when it should have been build/.By verifying and correcting the output directory alignment, you should be able to address the issue of encountering a blank page or experiencing a 502 error on deploying your web application.
+Choreo’s managed authentication capability exposes a set of backend for frontend (BFF) endpoints, facilitating authentication and authorization for web applications. These endpoints are readily available for single-page web applications deployed on Choreo.
+As a web application developer, there may be instances where it becomes necessary to run the application on your personal workstation. In such situations, the expectation is for authentication and authorization during local development to work in the same manner as it would when the application is deployed to Choreo, eliminating the need to modify the source code.
+Choreo's local development capability ensures a seamless local application development experience where the authentication and authorization process aligns with Choreo’s deployment environment. This facilitates a smoother transition from development to deployment, improving workflow efficiency.
+Local development uses a proxy that sits in front of the locally running web application. This proxy intercepts all incoming requests. The requests to /choreo-apis/* and /auth/* are then forwarded to Choreo, while all other requests are forwarded to the locally running web application. The proxy runs on HTTPS using a self-signed certificate, crucial for secure, HTTP-only cookie-based managed authentication. Upon running the proxy, you can access the web application using the proxy's URL and start developing the application locally. You will observe that the behavior of the web application, in terms of the managed authentication functionality, is similar to how it would be after deploying to Choreo.
Promote and deploy the application to the environment where you want to enable local development.
+Note
+Now you have done the necessary configurations to set up local development. The next section walks you through the steps to access your web application so that you can develop it locally.
+http://localhost on a specific port.You can either use the Choreo built-in identity provider or external identity provider to access your web application locally.
+To access the application and proceed to develop it, go to the URL given under Step 2 in the Local Development pane.
+Note
+The local development proxy runs on HTTPS using a self-signed certificate. Your browser may warn that the certificate is not valid. Accept the risk and proceed.
+To access the application and proceed to develop it, go to the URL given under Step 3 in the Local Development pane.
+Note
+The local development proxy runs on HTTPS using a self-signed certificate. Your browser may warn that the certificate is not valid. Accept the risk and proceed.
+In Choreo, you can configure service endpoints and connections via the component.yaml source configuration file. This file ensures that the configurations required to initialize endpoints and connections are defined, as they cannot be inferred from the source code. This guide provides an overview of how to configure and manage these settings effectively.
The source configuration file must be committed to your repository within the .choreo directory at the root of the project directory. This ensures the ability to version the configuration files alongside repository commits, enabling better tracking and management of configurations.
Note
+component-config.yaml and endpoints.yaml files will eventually be deprecated and replaced by the component.yaml file. component.yaml file from the component-config.yaml file, see Migrate from the component-config.yaml.component.yaml file from the endpoints.yaml file, see Migrate from the endpoints.yaml.component.yaml takes the highest precedence, followed by component-config.yaml, and then endpoints.yaml.component.yaml file¶File location:
+ + +Note
+build-context-path with the <project-directory>.
+For example, <project-directory>/.choreo/component.yaml.build-context-path with the <docker-context-path>.
+For example, <docker-context-path>/.choreo/component.yaml.Sample component.yaml file content:
Click the respective tab to view the structure for your current configuration file version:
+# +required The configuration file schema version
+schemaVersion: 1.1
+
+# +optional Incoming connection details for the component
+endpoints:
+ # +required Unique name for the endpoint.
+ # This name will be used when generating the managed API
+ - name: greeter-sample
+ # +optional Display name for the endpoint.
+ displayName: Go Greeter Sample
+ # +required Service section has the user service endpoint details
+ service:
+ # +optional Context (base path) of the API that gets exposed via the endpoint.
+ basePath: /greeting-service
+ # +required Numeric port value that gets exposed via the endpoint
+ port: 9090
+ # +required Type of traffic that the endpoint is accepting.
+ # Allowed values: REST, GraphQL, WS, GRPC, TCP, UDP.
+ type: REST
+ # +optional Network level visibilities of the endpoint.
+ # Accepted values: Project|Organization|Public(Default).
+ networkVisibilities:
+ - Public
+ - Organization
+ # +optional Path to the schema definition file. Defaults to wild card route if not provided
+ # This is only applicable to REST or WS endpoint types.
+ # The path should be relative to the docker context.
+ schemaFilePath: openapi.yaml
+
+ # +optional Outgoing connection details for the component.
+ dependencies:
+ # +optional Defines the connection references from the Internal Marketplace.
+ connectionReferences:
+ # +required Name of the connection.
+ - name: hr-connection
+ # +required Name of the connection instance.
+ resourceRef: service:/HRProject/UserComponent/v1/ad088/PUBLIC
+The descriptor-based approach of the component.yaml file simplifies and streamlines endpoint and connection configuration management. The use of versioned schemas ensures backward compatibility, providing a seamless transition with future updates.
You can define the following root-level configurations via the component.yaml file:
| Configuration | +Required | +Description | +
|---|---|---|
| schemaVersion | +Required | +The version of the component.yaml file. Defaults to the latest version. |
+
| endpoints | +Optional | +The list of endpoint configurations. | +
| dependencies | +Optional | +The list of dependency configurations. | +
In the endpoints section of the component.yaml file, you can define multiple service endpoint configurations. Each endpoint must have a unique name and the required fields specified in the schema overview.
Why have a unique name?
+When you define multiple endpoints, the endpoint.name is appended to the Choreo-generated URL. A unique name ensures the endpoint is easily recognizable and readable within the URL.
| Configuration | +Required | +Description | +
|---|---|---|
| name | +Required | +A unique identifier for the endpoint within the service component. Avoid using excessively long names. | +
| displayName | +Optional | +A display name for the endpoint. | +
| service | +Required | +Service details for the endpoint. | +
| .basePath | +Required | +The base path of the API exposed via this endpoint. | +
| .port | +Required | +The numeric port value exposed via this endpoint. | +
| type | +Required | +The type of traffic the endpoint accepts. For example, REST, GraphQL, gRPC, UDP, or TCP. |
+
| networkVisibilities | +Required | +The network-level visibility of the endpoint. For example, project, organization, or public. | +
| schemaFilePath | +Required | +The file path to the swagger definition file. Defaults to the wildcard route if not specified. This field should be a relative path to the project path when using Java, Python, NodeJS, Go, PHP, Ruby, or WSO2 MI buildpacks. For REST endpoint types, when using the Ballerina or Dockerfile buildpack, the path should be relative to the component root or Docker context. | +
In the dependencies section of the component.yaml file, you can define multiple connection configurations under dependencies.connectionReferences. You can use the connection reference generated in the in-line developer guide when creating a connection. For instructions on copying connection configurations, see the in-line developer guide displayed during connection creation.
You must include the following configurations in the dependencies.connectionReferences schema:
| Configuration | +Required | +Description | +
|---|---|---|
| name | +Required | +The name given to the connection. | +
| resourceRef | +Required | +A unique, human-readable identifier for the service you are connecting. | +
Note
+Choreo automatically generates connection configurations when you create a connection. The properties such as name and resourceRef are automatically generated. The configurations required to establish the connection will be injected into Choreo-defined environment variables.
+# +required The configuration file schema version
+schemaVersion: 1.0
+
+# +optional Incoming connection details for the component
+endpoints:
+ # +required Unique name for the endpoint.
+ # This name will be used when generating the managed API
+ - name: greeter-sample
+ # +optional Display name for the endpoint.
+ displayName: Go Greeter Sample
+ # +required Service section has the user service endpoint details
+ service:
+ # +optional Context (base path) of the API that gets exposed via the endpoint.
+ basePath: /greeting-service
+ # +required Numeric port value that gets exposed via the endpoint
+ port: 9090
+ # +required Type of traffic that the endpoint is accepting.
+ # Allowed values: REST, GraphQL, WS, GRPC, TCP, UDP.
+ type: REST
+ # +optional Network level visibilities of the endpoint.
+ # Accepted values: Project|Organization|Public(Default).
+ networkVisibilities:
+ - Public
+ - Organization
+ # +optional Path to the schema definition file. Defaults to wild card route if not provided
+ # This is only applicable to REST or WS endpoint types.
+ # The path should be relative to the docker context.
+ schemaFilePath: openapi.yaml
+
+ # +optional Outgoing connection details for the component.
+ dependencies:
+ # +optional Defines the service references from the Internal Marketplace.
+ serviceReferences:
+ # +required Name of the service reference.
+ - name: choreo:///apifirst/mttm/mmvhxd/ad088/v1.0/PUBLIC
+ # +required Name of the connection instance.
+ connectionConfig: 19d2648b-d29c-4452-afdd-1b9311e81412
+ # +required Environment variables injected into the component for connection configuration.
+ env:
+ # +required Key name of the connection configuration.
+ - from: ServiceURL
+ # +required Environment variable injected into the container.
+ to: SERVICE_URL
+The descriptor-based approach of the component.yaml file simplifies and streamlines endpoint and connection configuration management. The use of versioned schemas ensures backward compatibility, providing a seamless transition with future updates.
You can define the following root-level configurations via the component.yaml file:
| Configuration | +Required | +Description | +
|---|---|---|
| schemaVersion | +Required | +The version of the component.yaml file. Defaults to the latest version. |
+
| endpoints | +Optional | +The list of endpoint configurations. | +
| dependencies | +Optional | +The list of dependency configurations. | +
endpoints section of the component.yaml file, you can define multiple service endpoint configurations. Each endpoint must have a unique name and the required fields specified in the schema overview.
+Why have a unique name?
+When you define multiple endpoints, the endpoint.name is appended to the Choreo-generated URL. A unique name ensures the endpoint is easily recognizable and readable within the URL.
| Configuration | +Required | +Description | +
|---|---|---|
| name | +Required | +A unique identifier for the endpoint within the service component. Avoid using excessively long names. | +
| displayName | +Optional | +A display name for the endpoint. | +
| service | +Required | +Service details for the endpoint. | +
| .basePath | +Required | +The base path of the API exposed via this endpoint. | +
| .port | +Required | +The numeric port value exposed via this endpoint. | +
| type | +Required | +The type of traffic the endpoint accepts. For example, REST, GraphQL, gRPC, UDP, or TCP. |
+
| networkVisibilities | +Required | +The network-level visibility of the endpoint. For example, project, organization, or public. | +
| schemaFilePath | +Required | +The file path to the swagger definition file. Defaults to the wildcard route if not specified. This field should be a relative path to the project path when using Java, Python, NodeJS, Go, PHP, Ruby, or WSO2 MI buildpacks. For REST endpoint types, when using the Ballerina or Dockerfile buildpack, the path should be relative to the component root or Docker context. | +
In the dependencies section of the component.yaml file, you can define multiple service connection configurations under dependencies.serviceReferences. You can use the service references generated in the in-line developer guide when creating a service connection. For instructions on copying connection configurations, see the in-line developer guide displayed during connection creation.
You must include the following configurations in the dependencies.serviceReferences schema:
| Configuration | +Required | +Description | +
|---|---|---|
| name | +Required | +A unique name for the service reference. | +
| connectionConfig | +Required | +A unique name for the connection instance. | +
| env | +Required | +The list of environment variable mappings to inject into the container. | +
| .from | +Required | +The key name of the connection configuration. | +
| .to | +Required | +The environment variable to inject into the container. | +
Note
+Choreo automatically generates connection configurations when you create a connection. The properties such as name, connectionConfig, and env.from are automatically generated. However, you must manually set the env.to value.
+component-config.yaml file¶File location:
+ + +Sample component-config.yaml file content:
apiVersion: core.choreo.dev/v1beta1
+kind: ComponentConfig
+spec:
+ # +optional Incoming connection details for the component (AKA endpoints).
+ inbound:
+ # +required Unique name for the endpoint.
+ # This name will be used when generating the managed API
+ - name: Greeting Service
+ # +required Numeric port value that gets exposed via the endpoint
+ port: 9090
+ # +required Type of traffic that the endpoint is accepting.
+ # Allowed values: REST, GraphQL, GRPC, TCP, UDP, WS.
+ type: REST
+ # +optional Network level visibility of the endpoint. Defaults to Public
+ # Accepted values: Project|Organization|Public.
+ networkVisibility: Public
+ # +optional Context (base path) of the API that gets exposed via the endpoint.
+ # This is mandatory if the endpoint type is set to REST, GraphQL or WS.
+ context: /greeting
+ # +optional The path to the schema definition file. Defaults to wildcard route if not specified.
+ # This is only applicable to REST and WS endpoint types.
+ # The path should be relative to the Docker context.
+ schemaFilePath: greeting_openapi.yaml
+ # +optional Outgoing connection details for the component.
+ outbound:
+ # +optional Defines the service references from the Internal Marketplace.
+ serviceReferences:
+ # +required Name of the service reference.
+ - name: choreo:///apifirst/mttm/mmvhxd/ad088/v1.0/PUBLIC
+ # +required Name of the connection instance.
+ connectionConfig: 19d2648b-d29c-4452-afdd-1b9311e81412
+ # +required Environment variables injected to the component for connection configuration.
+ env:
+ # +required Key name of the connection configuration.
+ - from: ServiceURL
+ # +required Environment variable injected to the container.
+ to: SERVICE_URL
+The component-config.yaml file complements and enhances the existing endpoint configuration process. It allows you to define how the endpoints (inbound connections) in your service are exposed and how your service connects to external services or components (outbound connections).
You can define the following root-level configurations via the component-config.yaml file:
| Configuration | +Required | +Description | +
|---|---|---|
| apiVersion | +Required | +The version of the component-config.yaml file defaults to core.choreo.dev/v1beta1. |
+
| kind | +Required | +The resource type of the file defaults to ComponentConfig. |
+
| spec.inbound | +Optional | +The list of inbound connection configurations. | +
| spec.outbound | +Optional | +The list of outbound connection configurations. | +
spec.inbound)In the spec.inbound configuration section, you can specify endpoints to set up inbound connections. To specify endpoints, you can follow the existing endpoints schema structure. For details on the endpoints schema structure, see the endpoints schema documentation.
spec.outbound)In the spec.outbound section, you can define serviceReferences. To define serviceReferences, you can use the service references generated in the Internal Marketplace when creating a service connection. To copy the outbound connection configurations, see the inline developer guide displayed when you create a connection.
You must include the following configurations in the serviceReferences schema:
| Configuration | +Required | +Description | +
|---|---|---|
| name | +Required | +A unique name for the service reference. | +
| connectionConfig | +Required | +A unique name for the connection instance. | +
| env | +Optional | +The list of environment variable mappings to inject into the container. | +
| env.from | +Required | +The key name of the connection configuration. | +
| env.to | +Required | +The environment variable to inject into the container. | +
endpoints.yaml file¶File location:
+ + +Sample endpoints.yaml file content:
# +required Version of the endpoint configuration YAML
+version: 0.1
+
+# +required List of endpoints to create
+endpoints:
+ # +required Unique name for the endpoint.
+ # This name will be used when generating the managed API
+- name: Greeting Service
+ # +required Numeric port value that gets exposed via this endpoint
+ port: 9090
+ # +required Type of the traffic this endpoint is accepting.
+ # Allowed values: REST, GraphQL, GRPC, UDP, TCP, WS.
+ type: REST
+ # +optional Network level visibility of this endpoint. Defaults to Public
+ # Accepted values: Project|Organization|Public.
+ networkVisibility: Project
+ # +optional Context (base path) of the API that is exposed via this endpoint.
+ # This is mandatory if the endpoint type is set to REST, GraphQL or WS.
+ context: /greeting
+ # +optional Path to the schema definition file. Defaults to wild card route if not provided
+ # This is only applicable to REST and WS endpoint types.
+ # The path should be relative to the docker context.
+ schemaFilePath: greeting_openapi.yaml
+The endpoints.yaml configuration file allows you to define configurations for multiple endpoints necessary for Choreo service components. This schema is essential to identify the context, port binding, network exposure level, and other attributes required to generate a Choreo endpoint.
You can define the following root-level configurations via the endpoints.yaml file:
| Configuration | +Required | +Description | +
|---|---|---|
| version | +Required | +The version of the endpoints.yaml file. |
+
| name | +Required | +A unique name for the endpoint, which Choreo will use to generate the managed API. | +
| port | +Required | +The numeric port value that gets exposed via this endpoint. | +
| type | +Required | +The type of traffic this endpoint accepts, such as REST, GraphQL, gRPC, WS, UDP, or TCP. Currently, the MI preset supports only the REST type. |
+
| networkVisibility | +Required | +The network level visibility of this endpoint, which defaults to Public if not specified. Accepted values are Project, Organization, or Public. |
+
| context | +Required | +The context (base path) of the API that Choreo exposes via this endpoint. | +
| schemaFilePath | +Required | +The swagger definition file path. Defaults to the wildcard route if not provided. This field should be a relative path to the project path when using the Java, Python, NodeJS, Go, PHP, Ruby, and WSO2 MI buildpacks. For REST endpoint types, when using the Ballerina or Dockerfile buildpack, this field should be a relative path to the component root or Docker context. | +
With the upcoming deprecation of the component-config.yaml file and the endpoints.yaml file, Choreo provides a seamless migration path to the component.yaml file. See the following guidelines for details depending on the configuration you want to migrate from:
component-config.yaml file¶To migrate from the component-config.yaml file to the component.yaml file, do the following:
schemaVersion in the component.yaml and omit apiVersion and kind.Move endpoint configurations from the spec.inbound section to the endpoints section in the component.yaml file.
spec.inbound.context to endpoints.service.basePath.spec.inbound.port to endpoints.service.port.spec.inbound.networkVisibility to endpoints.networkVisibilities.Move dependency configurations from the spec.outbound section to the dependencies section in the component.yaml file.
endpoints.yaml file¶To migrate from the endpoints.yaml file to the component.yaml file, do the following:
schemaVersion in the component.yaml and omit version.endpoints.yaml file to the endpoints section in the component.yaml file.context to endpoints.service.basePath.port to endpoints.service.port.networkVisibility to endpoints.networkVisibilities.Choreo allows you to create and manage dedicated deployment tracks for components, facilitating independent version control and deployment. This capability also allows you to unlink deployment tracks from associated branches or relink them to different branches so that you can align with your preferred Git workflows, such as the feature branch workflow or GitFlow workflow.
+Info
+Deployment track creation and management does not apply to API Proxy and BYOI components.
+Prerequisites:
+Follow the steps below to create a deployment track for a component:
+If you want to detach a branch reference from a deployment track, you must unlink the branch.
+Info
+When you unlink the branch of a deployment track, the active deployments are unaffected. However, while you can redeploy the existing deployment, you cannot perform a new deployment.
+Follow the steps below to unlink a deployment track of a component:
+To associate a branch reference to an unlinked deployment track, you must link a branch.
+Info
+To build and deploy the contents of the linked branch, you must perform a manual build and deploy.
+Prerequisites:
+Follow the steps below to link a branch to an unlinked deployment track:
+To switch the branch reference of a linked deployment track, you must relink to an appropriate branch.
+Info
+If you unlink the existing branch of a deployment track and link a different branch, you must perform a manual build and deploy to build and deploy the contents of the recently linked branch.
+Prerequisites:
+Follow the steps below to switch the branch reference of a linked deployment track:
+Now that you understand how to create and manage deployment tracks for components, let’s explore a sample scenario to see how a developer can use deployment tracks to manage version releases in Choreo.
+Let’s consider the following version release scenario:
+feature-x from either the main or dev branch.feature-x branch into the dev branch for testing.dev branch, the developer proceeds to merge all the changes into the main branch for production deployment.Following are the actions you need to take from a deployment track perspective to manage the version release:
+main branch from the associated deployment track (let’s consider this as the deployment track 1).dev branch containing the tested changes into the main branch.dev branch from the associated deployment track (let’s consider this as deployment track 2).main branch for deployment.dev branch.Tip
+dev to ensure a continuous development and release cycle.If you no longer need a deployment track, you can delete it.
+Note
+If the component exposes an endpoint or proxy and you want to delete the last version in the major version range, the recommended approach is to retire that version first. This allows consumers to transition to the next major version and prevents a sudden break in their experience. +For example, if you have deployment tracks for v1.0 and v2.0, notify consumers to switch to v2.0 before deleting v1.0. Then, retire the APIs in v1.0 and proceed to delete the associated deployment track.
+Prerequisites:
+Follow the steps below to delete a deployment track:
+Choreo allows you to use a preferred WSO2 Micro Integrator (MI) runtime version in your integration project. Currently, Choreo supports MI product versions 4.1.0 and 4.2.0. You have the flexibility to deploy WSO2 updates within these specified versions.
+When you create an integration project, you can specify a required runtime version to gain control over the environment in which your integration runs. This version management capability empowers you to tailor your projects depending on your runtime requirements, enhancing the customization and adaptability of your integration workflows.
+WSO2 Micro Integrator (MI) utilizes a versioning system consisting of three-digit numbers, such as 4.1.0 and 4.2.0, following semantic versioning principles. The product remains committed to receiving updates from WSO2, including security fixes, bug resolutions, and enhancements. Within the Choreo platform, the MI runtime version is constructed by combining the product release version with its corresponding update level.
In Choreo, the MI runtime version is structured as a four-digit number, for example, 4.1.0.14 or 4.2.0.17. The first three digits represent the product release version, while the last digit signifies the update level of the product. The fourth digit is optional and can be omitted.
If you are using WSO2 Integration Studio to build and deploy integration artifacts in WSO2 Micro Integrator, you can create multiple runtime environments and execute projects on any selected environment. WSO2 Integration Studio also allows you to configure multiple Micro Integrator runtime environments, offering flexibility and customization in the execution of integration processes.
+You can specify the Runtime version when you create an integration project in WSO2 Integration Studio. In the project creation wizard, specify the runtime version in the Runtime version field, as shown below.
+
An integration project is structured as a Maven project with multiple sub-modules. The root pom.xml file holds crucial information about the target runtime. The runtime version you configure when you create a new project is saved within the root pom.xml file. The version information is stored in the pom.xml file. If there is a need to update the runtime version, you have the flexibility to modify the value to a valid runtime version and ensure that the project runs in the required runtime environment.
You can establish multiple runtime environments by utilizing updated MI instances. With a valid WSO2 subscription, you can also access and download updates to set up an updated MI server locally. This update process allows you to select a preferred update level as the runtime version. Consequently, you can run your integration on a runtime with the latest updates, ensuring optimal performance and access to new features.
+If you are using WSO2 Integration Studio, follow these steps to set up a remote server instance with a Micro Integrator runtime environment to execute your integration project:
+Note
+If you have not downloaded and installed WSO2 Integration Studio, you can follow the installation instructions in the WSO2 API Manager documentation.
+
WSO2 directory and select WSO2 Remote Server.
+ 
Enter the WSO2 Micro Integrator Management API URL in the Server URL field and click Test Connection.
+Note
+The Management API of WSO2 Micro Integrator is an internal REST API introduced to substitute MI admin services. The default HTTPS port of the Management API of WSO2 Micro Integrator is 9164. If you have not manually changed the default port, you must set the Management API URL as https://localhost:9164/management. If you have changed the default HTTPS port, you must set the port number appropriately when specifying the Server URL. For more information on the default ports of WSO2 Micro Integrator, see WSO2 Micro Integrator default ports in the WSO2 API Manager documentation.
Click Finish.
+Your integration project is now running in a remote server instance with the Micro Integrator runtime environment you require. +If you need to make changes to the integration project, expand the remote server instance, right-click on the deployed exporter project, and select Redeploy to apply the changes.
+
You can use the following convention to indicate the required MI runtime version in your integration project:
+| Version format | +Example | +Description | +
|---|---|---|
| Product version | +4.1.0, 4.2.0 |
+Deploy on the latest update level of the mentioned product version. | +
| Product version with update level | +4.1.0.15, 4.2.0.17 |
+Deploy on the exact update level of the mentioned product version. | +
| GA version | +4.1.0.0, 4.2.0.0 |
+Deploy on the exact GA version without any update. | +
| Default version | +Empty value | +Deploy on the latest update level of the default product version. | +
Choreo utilizes Alpine images for configuring and deploying the Micro Integrator runtime. This includes automated configuration of the JRE/JDK, customized to the compatibility of the chosen runtime version, simplifying the setup procedure.
+Changing the runtime version in an integration project may become necessary during product version upgrades or when you want to apply updates.
+To change the runtime version of a MI Integration, follow the below steps.
+To change the runtime version in the integration project, follow the steps below:
+1. Open the project in Integration Studio.
+2. Right-click on the project and select Change Runtime MI Version.
+ 
+3. Specify the new runtime version as shown below:
+ 
+4. Alternatively, you can manually update the version by opening the root pom.xml file. Open pom.xml and change the required runtime version in <project.runtime.version> element under <properties> section.
To test the changes locally, you must download and set up the runtime environment locally. Then, you must configure the Integration Studio runtime environment by directing it to the locally installed MI runtime. Once the setup is complete, you can deploy your integrations on the MI runtime environment and proceed to the testing phase.
+After completing the tests to ensure everything works as expected, you can follow below steps to deploy the project in Choreo:
+You will see the runtime version in the logs as shown below:
+ 
Next, you must conduct additional testing in the development environment on Choreo before you promote the integration to production environments.
+The following error codes can help you troubleshoot errors that occur during the integration component build:
+| Error code | +Description | +
|---|---|
| 110 - 119 | +Internal server error. | +
| 121 | +Malformed runtime version. | +
| 122 | +The specified runtime version is not available. Either the product or update level is not available. | +
| 123 | +Trivy security vulnerabilities found in the libs directory. |
+
| 124 | +Trivy security vulnerabilities found in the dropins directory. |
+
| 125 | +Trivy security vulnerabilities found in the libs or dropins directory. |
+
| 126 | +Error building integration project. | +
Connections in Choreo provide a simple and uniform approach to seamlessly integrate components with services or resources.
+Choreo allows you to create connections to services deployed in Choreo or registered as external services. It also allows you to create connections to any Choreo-managed database.
+To create a connection to a service or a database, follow the step-by-step instructions in the respective tab:
+Follow these steps to create a connection to a service deployed in Choreo:
+In the Choreo Console, go to the top navigation menu and set the visibility level as project or component as follows:
+In the left navigation menu, click Dependencies and then Connections. This page lists all the existing connections.
+This creates the connection and displays its details for each environment, along with an inline guide on how to use the connection in your component.
+Follow these steps to create a connection to an external service:
+For step-by-step instructions on using a connection in your service, see Use a Connection in Your Service.
+For step-by-step instructions on using a connection in your web application, see Use a Connection in Your Web Application.
+Prerequisites:
+Follow these steps to create a connection to a Choreo-managed database:
+In the Choreo Console, go to the top navigation menu and set the visibility level as project or component as follows:
+In the left navigation menu, click Dependencies and then Connections. This page lists all the existing connections.
+To create the connection, follow these steps:
+Under Environment Configuration, select credentials for each environment.
+Note
+By default, the selected database is applied to all environments. To use different databases for specific environments, select the appropriate database and provide the corresponding credentials for each environment.
+Click Create.
+This creates the connection and displays the database connection details for each environment, along with an inline guide on how to use the connection in your component.
+For step-by-step instructions on using a database in your component, see Use a Database Connection in Your Component.
+Choreo allows you to share and reuse your services, accelerating development and enhancing efficiency in building integrated applications through connections.
+For step-by-step on instruction on creating a connection, see Create a Connection.
+To learn more about Choreo Connections, see the documentation on Connections.
+You can consume a Choreo-deployed service within another service. Consuming connections from within Choreo services is seamless and straightforward. Follow the steps below to consume a Choreo service:
+To integrate another service into your application, click the appropriate tab below based on your current configuration file and follow the step-by-step instructions:
+Copy and paste the snippet from the in-line developer guide into the component.yaml file.
The following is a sample snippet:
+dependencies:
+ connectionReferences:
+ - name: <CONNECTION_NAME>
+ resourceRef: <RESOURCE_IDENTIFIER>
+| Field | +Description | +
|---|---|
| name | +The name given to the connection. | +
| resourceRef | +A unique, readable identifier of the service being connected to. | +
If you've previously added a connectionReferences section under dependencies, append this as another item under connectionReferences. Upon deploying the component, Choreo automatically creates a subscription if applicable and the necessary configurations to establish the connection will be injected into the Choreo-defined environment variables.
The following table details the Choreo-defined environment variables:
+| Configuration Key | +Choreo-Defined Environment Variable Name | +
|---|---|
| ServiceURL | +CHOREO_<CONNECTION_NAME>_SERVICEURL | +
| ConsumerKey | +CHOREO_<CONNECTION_NAME>_CONSUMERKEY | +
| ConsumerSecret | +CHOREO_<CONNECTION_NAME>_CONSUMERSECRET | +
| TokenURL | +CHOREO_<CONNECTION_NAME>_TOKENURL | +
If you'd like to use custom environment variable names instead of the Choreo-defined ones, add the dependency as a service reference under dependencies in the same file. For more details, refer to the instructions under the component.yaml file (v1.0) tab.
The following table provides details on the configuration keys associated with the connection:
+| Name | +Type | +Description | +Optional | +Sensitive | +
|---|---|---|---|---|
| ServiceURL | +string | +Service URL of the Choreo service | +false | +false | +
| ConsumerKey | +string | +Consumer key of the Choreo service | +false | +false | +
| ConsumerSecret | +string | +Consumer secret of the Choreo service | +false | +true | +
| TokenURL | +string | +Token URL of the STS | +false | +false | +
Once you add the connection configuration snippet, you can proceed to read those configurations within your application. The steps to follow depend on the programming language you are using.
+The following is a sample code snippet in NodeJS:
+ + +Note
+This component.yaml v1.0 is a legacy configuration format. For new projects, we recommend using the latest version (v1.1) of component.yaml for improved usability and features.
Copy and paste the snippet from the in-line developer guide into the component.yaml file.
The following is a sample snippet:
+dependencies:
+ serviceReferences:
+ - name: <SERVICE_NAME>
+ connectionConfig: <CONNECTION_ID>
+ env:
+ - from: ServiceURL
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: ConsumerKey
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: ConsumerSecret
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: TokenURL
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+| Field | +Description | +
|---|---|
| name | +The name of the service you are connecting to. | +
| connectionConfig | +The unique connection identifier for the connection. | +
| env | +The environment variable mapping. | +
| from | +The key of the configuration entry. | +
| to | +The environment variable name to which Choreo will inject the value of the key. | +
Replace <YOUR_ENV_VARIABLE_NAME_HERE> with an appropriate environment variable name of your choice. If you have previously added a service reference section under dependencies, append this as another item under serviceReferences.
Upon deploying the component, Choreo automatically creates a subscription if applicable and populates the specified environment variables with actual values.
+The following table provides details on the configuration keys associated with the connection:
+| Name | +Type | +Description | +Optional | +Sensitive | +
|---|---|---|---|---|
| ServiceURL | +string | +Service URL of the Choreo service | +false | +false | +
| ConsumerKey | +string | +Consumer key of the Choreo service | +false | +false | +
| ConsumerSecret | +string | +Consumer secret of the Choreo service | +false | +true | +
| TokenURL | +string | +Token URL of the STS | +false | +false | +
Once you add the connection configuration snippet, you can proceed to read those configurations within your application. The steps to follow depend on the programming language you are using.
+The following is a sample code snippet in NodeJS:
+ + +Note
+This component-config.yaml is a legacy configuration format. For new projects, we recommend using the latest version (v1.1) of component.yaml for improved usability and features.
Copy and paste the snippet from the in-line developer guide into the component-config file under the spec section.
The following is a sample snippet:
+outbound:
+ serviceReferences:
+ - name: <SERVICE_NAME>
+ connectionConfig: <CONNECTION_ID>
+ env:
+ - from: ServiceURL
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: ConsumerKey
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: ConsumerSecret
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: TokenURL
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+| Field | +Description | +
|---|---|
| name | +The name of the service you are connecting to. | +
| connectionConfig | +The unique connection identifier for the connection. | +
| env | +The environment variable mapping. | +
| from | +The key of the configuration entry. | +
| to | +The environment variable name to which Choreo will inject the value of the key. | +
Replace <YOUR_ENV_VARIABLE_NAME_HERE> with an appropriate environment variable name of your choice. If you have previously added an outbound service reference, append this as another item under serviceReferences.
Upon deploying the component, Choreo automatically creates a subscription if applicable and populates the specified environment variables with actual values.
+The following table provides details on the configuration keys associated with the connection:
+| Name | +Type | +Description | +Optional | +Sensitive | +
|---|---|---|---|---|
| ServiceURL | +string | +Service URL of the Choreo service | +false | +false | +
| ConsumerKey | +string | +Consumer key of the Choreo service | +false | +false | +
| ConsumerSecret | +string | +Consumer secret of the Choreo service | +false | +true | +
| TokenURL | +string | +Token URL of the STS | +false | +false | +
Once you add the connection configuration snippet, you can proceed to read those configurations within your application. The steps to follow depend on the programming language you are using.
+The following is a sample code snippet in NodeJS:
+ + +To consume a Choreo service with the visibility level set to organization or public and secured by the OAuth 2.0 security scheme, you must obtain an OAuth 2.0 token from the token endpoint. Subsequently, you can use the token to invoke the service.
+For languages with OAuth 2.0-aware HTTP clients, you must pass the OAuth 2.0-related configurations such as client id, client secret and so on, obtained when creating the connection to your HTTP client configuration. The HTTP client autonomously manages token retrieval and refreshing.
+For languages without OAuth 2.0-aware HTTP clients, you must manually initiate a call to the token endpoint. This includes fetching the token and managing token expiration and refresh directly within your application code. The following is a sample curl command to obtain a token:
+CONSUMER_KEY="your_consumer_key"
+CONSUMER_SECRET="your_consumer_secret"
+TOKEN_URL="your_token_url"
+
+# Encode client credentials as Base64
+CLIENT_CREDENTIALS=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)
+
+curl -X POST $TOKEN_URL \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -H "Authorization: Basic $CLIENT_CREDENTIALS" \
+ --data-urlencode "grant_type=client_credentials"
+You can invoke the service as follows:
+For languages with OAuth 2.0-aware HTTP clients, you can invoke the service in a straightforward manner. The HTTP client seamlessly manages OAuth 2.0 authentication without requiring additional intervention.
+As the service URL you can use the URL that you resolved in step 2. For sample requests and responses, see the API definition provided via the Choreo marketplace for the service.
+For languages without OAuth 2.0-aware HTTP clients, you can use the token obtained in step 3 to make calls to the dependent service. Subsequently, add the obtained token to the HTTP authorization header with the bearer prefix. +As the service URL you can use the URL that you resolved in step 2. For sample requests and responses, see the API definition of the service provided via the Choreo marketplace.
+The following is a sample code snippet in NodeJS:
+const response = await axios.get(serviceURL/{RESOURCE_PATH}, {
+ headers: {
+ 'Authorization': `Bearer ${accessToken}`
+ }
+});
+Note
+If you want to consume a Choreo service at the project visibility level, you don't need to obtain a token. You can directly invoke the service using the resolved URL.
+Choreo simplifies the process of integrating services into your web application. The approach to connect to a service can vary based on your web application.
+To connect to a selected service, follow the step-by-step instructions given below depending on the authentication mechanism used in your web application.
+Choreo-managed authentication allows you to seamlessly handle authentication for your web application. You can configure your web application to work with the built-in identity provider of Choreo or any external identity provider that supports OIDC/OAuth2.0
+Note
+Choreo's managed authentication is currently available only for web applications created with React, Angular, or Vue.js buildpacks.
+Follow the steps below to use an existing connection within your web application:
+To integrate a service into your application, you must first add the connection configuration as follows:
+For single page applications (SPAs), you must add the connection configuration as a file mount. You can mount a file via the Configurations pane on the Deploy page. You must mount a file (for example, config.js) and add the configuration provided in the in-line developer documentation into it.
The following is a sample configuration:
+ + +To ensure accessibility of the config.js file via JavaScript at runtime, add a script tag as follows in the index.html file to reference the config.js file:
<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="utf-8" />
+ <title>My React App</title>
+</head>
+<body>
+ <div id="root"></div>
+ <script src="%PUBLIC_URL%/config.js"></script>
+</body>
+</html>
+Note
+If you use an external IdP, you must add the IdP's configuration to the same file.
+For more information on working with IdPs, see Configure Asgardeo as an External Identity Provider.
+Once you add the connection configuration, you can proceed to read the configuration from your application. The steps to read depend on the programming language you use.
+The following is a sample code snippet in NodeJS:
+ + +If you use Choreo-managed authentication, Choreo handles the security handshaking for the application during deployment. The connected service will be accessible under the same domain as your application. Therefore, you can call the configured path directly using your preferred HTTP client.
+The following is a sample code snippet in NodeJS:
+ + +Note
+If you are using an external IdP provider instead of Choreo-managed authentication, you must obtain an access token from your IdP and add it to the HTTP authorization header with the bearer prefix.
+If you are not using Choreo-managed authentication or your web application lacks authentication, follow the steps below to connect to a service from your web application:
+For single-page applications (SPAs), you must add the connection configuration as a file mount. You can mount a file via the Configurations pane on the Deploy page. You must mount a file (for example, config.js) and add the following configuration into it.
The following is a sample configuration:
+ window.configs = {
+ apiUrl: '<SERVICE_URL>',
+ consumerKey: '<CONSUMER_KEY>',
+ consumerSecret: '<CONSUMER_SECRET>',
+ tokenUrl: '<TOKEN_URL>',
+ };
+For other types of web applications, you must add the respective configuration into your application.
+Once you have added the connection configuration, you can proceed to read the configuration from your application. The steps to read depend on the programming language you use.
+The following is a sample code snippet in NodeJS:
+ + +For languages with OAuth 2.0-aware HTTP clients, you must pass the OAuth 2.0-related configurations such as client id, client secret and so on, obtained when creating the connection to your HTTP client configuration. The HTTP client autonomously manages token retrieval and refreshing.
+For languages without OAuth 2.0-aware HTTP clients, you must manually initiate a call to the token endpoint. This includes fetching the token and managing token expiration and refresh directly within your application code. The following is a sample curl command to obtain a token:
+CONSUMER_KEY="your_consumer_key"
+CONSUMER_SECRET="your_consumer_secret"
+TOKEN_URL="your_token_url"
+
+# Encode client credentials as Base64
+CLIENT_CREDENTIALS=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)
+
+curl -X POST $TOKEN_URL \
+-H "Content-Type: application/x-www-form-urlencoded" \
+-H "Authorization: Basic $CLIENT_CREDENTIALS" \
+--data-urlencode "grant_type=client_credentials"
+You can invoke the service as follows:
+For languages with OAuth 2.0-aware HTTP clients, you can invoke the service in a straightforward manner. The HTTP client seamlessly manages OAuth 2.0 authentication without requiring additional intervention.
+As the service URL you can use the URL that you resolved in step 2 above. For sample requests and responses, see the API definition provided via the Choreo marketplace for the service.
+For languages without OAuth 2.0-aware HTTP clients, you can use the token obtained in step 3 above to make calls to the dependent service. Subsequently, add the obtained token to the HTTP authorization header with the bearer prefix.
+As the service URL you can use the URL that you resolved in step 2 above. For sample requests and responses, see the API definition of the service provided via the Choreo marketplace.
+The following is a sample code snippet in NodeJS:
+ + +Choreo allows you to share and reuse Choreo-managed databases, accelerating development and enhancing efficiency in building integrated applications through connections.
+For step-by-step instructions on creating a database connection, see Create a Connection.
+To learn more about Choreo Connections, see the documentation on Connections.
+To consume a Choreo-managed database via a connection, follow these steps:
+Copy and paste the snippet from the inline developer guide into the component-config file under the spec section.
The following is a sample snippet:
+outbound:
+ serviceReferences:
+ - name: database:hrdbProd
+ connectionConfig: 01ef700c-e378-138e-a11f-6e8e5a924f54
+ env:
+ - from: HostName
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: Port
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: Username
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: Password
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+ - from: DatabaseName
+ to: <YOUR_ENV_VARIABLE_NAME_HERE>
+| Field | +Description | +
|---|---|
| Name | +The name of the database you are connecting to. | +
| ConnectionConfig | +The unique connection identifier for the connection. | +
| env | +The environment variable mapping. | +
| from | +The key of the configuration entry. | +
| to | +The environment variable name to which Choreo will inject the value of the key. | +
Replace <YOUR_ENV_VARIABLE_NAME_HERE> with appropriate environment variable names. If you have already added an outbound service reference, append this as another entry under serviceReferences.
The following table provides details on the configuration keys associated with the connection:
+| Name | +Type | +Description | +Optional | +Sensitive | +
|---|---|---|---|---|
| HostName | +string | +The hostname of the database server where the database resides. | +false | +false | +
| Port | +string | +The port number on which the database server listens for connections. | +false | +false | +
| Username | +string | +The username for database access. | +false | +false | +
| Password | +string | +The password for database access. | +false | +true | +
| DatabaseName | +string | +The name of the database to connect. | +false | +false | +
Once you add the connection configuration snippet, you can read the configurations within your application. The steps to follow depend on the programming language you are using.
+The following is a sample code snippet in JavaScript:
+ + +To initiate a connection to the database, follow these steps:
+In this example, you will connect to a MySQL database.
+For the MySQL database, install the mysql2 package using npm:
To establish the connection, use the environment variables for hostName, username, password, databaseName, and port as follows:
In Choreo, if an administrator configures a workflow to require approval, you must submit a request to obtain approval to perform the task.
+Upon submitting a workflow approval request, Choreo notifies all authorized assignees via email about the review request. When an authorized assignee approves or rejects the request, you will receive an email with details of the decision.
+The approach to request approval can vary depending on the workflow.
+Prerequisites:
+To request approval to promote a component from the development environment to production, follow these steps:
+In the Request Approval pane that opens, enter your request details and click Submit. This creates a request and notifies all authorized assignees via email about the request.
+Note
+When an environment promotion request for a specific component is pending review, Choreo restricts other developers from making the same request until the pending request is either approved or rejected.
+When an authorized assignee approves the request, you will receive a confirmation email and can proceed to promote the component to production.
+If you want to cancel a workflow approval request that is already submitted, you can do so before the request is approved or rejected.
+When you submit a workflow approval request, the Request to Promote button changes to Cancel Request. To cancel an approval request, click Cancel Request. Upon confirming the cancellation, all configured approvers are notified immediately, and the request will no longer be pending.
+ + + + + + +WSO2 Micro Integrator (WSO2 MI) is a lightweight, high-performance integration runtime. It allows you to run integrations developed using WSO2 Integration Studio within Choreo.
+The topics on this page walk you through the key aspects you need to understand to use the WSO2 MI runtime effectively in Choreo.
+Choreo supports the following WSO2 MI integrations that cater to different use cases and requirements. Each integration type serves a specific purpose. Therefore, it is essential to understand their differences to easily choose the most appropriate integration for your use case.
+WSO2 Integration Studio is a powerful, Eclipse-based graphical development environment that enables you to build and deploy integration artifacts in WSO2 Micro Integrator. This comprehensive IDE offers a robust set of tools for designing and testing integration flows and crafting integration artifacts. By utilizing the visual, drag-and-drop capabilities of WSO2 Integration Studio, developers can significantly reduce the time and effort needed to construct and deploy integration flows.
+In addition to streamlining the development process, Integration Studio offers features such as debugging, testing, and version control to ensure the quality and reliability of integration flows. By creating an Integration project and Composite Exporter project in WSO2 Integration Studio, developers can export their integration projects as a single deployment artifact, known as a composite application. This composite application encompasses all the components and configurations necessary for deploying the integration project to WSO2 Micro Integrator.
+The Composite Exporter project simplifies the deployment process by allowing developers to package their integration projects as a single, self-contained artifact that can be easily deployed and managed. This approach enhances the consistency and reliability of integration projects while streamlining the overall deployment process.
+To start developing integrations with WSO2 Integration Studio, see WSO2 API Manager Documentation - Developing Integration Solutions.
+An Integration Project in WSO2 Integration Studio is a multi-module Maven project that can contain multiple modules with WSO2 Synapse configurations and a composite application module to export all the configurations as a single deployable artifact.
+An integration project directory structure includes the following key components:
+Optionally, you can include the following components in your integration project:
+Understanding the Integration Project directory structure is crucial for organizing your project and ensuring that all necessary components are included in the final deployable artifact.
+OpenAPI Support plays a crucial role in enhancing the functionality of integrations exposed as APIs. By providing an OpenAPI definition for your exposed integration, you can streamline testing and management processes, ensuring a more efficient and user-friendly experience. Choreo will automatically generate an OpenAPI definition for you based on your integration project, if you don't provide one, saving you time and effort.
+To incorporate OpenAPI support, store the OpenAPI definition file within the repository hosting your Integration Studio project. When creating the project, simply point to the file's location in the repository. If needed, you can change the location of the OpenAPI definition file later via the deploy page.
+
By leveraging OpenAPI Support, you can optimize the way you test and manage your integrations, resulting in a more efficient development process and a smoother user experience.
+The use of third-party libraries in your Micro Integrator project can offer several advantages, such as enhanced functionality, improved integration capabilities, optimized performance, and reduced development time.
+Here are some of the benefits of adding third-party JARs to the Micro Integrator:
+To incorporate third-party libraries into your Micro Integrator project, create a new directory called libs at the
+root of your project. If your project root and GitHub repository root are not the same, place the libs directory in
+the project root. After adding the required JAR files to the libs directory, the Micro Integrator runtime will
+automatically include them when deploying the component. This process ensures that any dependencies needed by your
+integration flow are available at runtime.
In addition to jar libraries, you may also need to incorporate OSGi bundle JARs into your project. To do this,
+create another directory called dropins at the root of your project. Similarly, if the project root and GitHub
+repository root differ, place the dropins directory in the project root. Within the dropins directory, add the OSGi
+bundle JAR files. The OSGI runtime will pick up these bundles during deployment, enabling you to utilize their
+functionality within your Micro Integrator project.
The feature enables Choreo MI users to import certificates into the MI client-truststore.jks file. This functionality
+proves valuable when users need to establish connections with servers or services utilizing SSL/TLS encryption and
+possessing self-signed certificates or certificates issued by private certificate authorities (CAs) that are not
+automatically trusted. Importing the certificate to the MI client-truststore.jks file enables MI clients to establish secure connections with
+the server or service seamlessly, eliminating SSL/TLS errors or warnings.
Before importing the certificate, it is necessary to obtain the certificate file, which can be in PEM or DER format. You
+can get the certificate from the server or service provider or export it from a web browser. Certificates should be
+added to the /wso2mi/certs/ folder. Users need to verify that the mount path for the certificate file aligns with this
+specific path.
Specify the following values as mount configurations:
+| Field | +Value | +
|---|---|
| Config Name | +An appropriate name for the certificate. | +
| Mount path | +/wso2mi/certs/<filename>. For example, /wso2mi/certs/certificate.crt |
+
Click Upload File and attach the certificate.
+MI Secure Vault is a feature that allows users to securely store sensitive data, such as passwords and tokens, and +provide access to that data to MI Integrations. This feature provides an added layer of security to your integrations by +reducing the risk of accidental exposure of sensitive data.
+To use MI Secure Vault to work with sensitive data, follow these steps:
+Specify the following values as configurations:
+| Field | +Value | +
|---|---|
| Name | +An appropriate name for the secret/alias. | +
| Value | +Value for the secret | +
Select Mark as a Secret.
+<property name="secret_value_1" expression="wso2:vault-lookup('user_pass')" scope="default" type="STRING"/>
+You can refer to the Accessing secrets +section of MI Secure Vault documentation for more information on these features. By using MI +Secure Vault to store and access sensitive data in your integrations, you can ensure that your integrations +remain secure and protect sensitive data from unauthorized access.
+Scanning third-party libraries for security vulnerabilities is essential for identifying potential weaknesses in an application that could be exploited by attackers. Taking a proactive approach to security helps organizations detect and mitigate risks before they can be exploited, preventing data breaches, system compromises, and other security incidents.
+Choreo incorporates a security vulnerability scanning process during deployment. It uses Trivy to scan and detect critical vulnerabilities in third-party libraries added to the integration component. If the scan uncovers any critical vulnerabilities, the deployment process is halted. The deployment pane displays the Trivy scan status and any security failures in the Library (Trivy) vulnerable scan step, which can be accessed by clicking on it. Once the vulnerability has been addressed, you can redeploy the component.
+Customizing WSO2 Micro Integrator Preconfigured Settings is essential for ensuring that the integration solution works optimally within the specific context of your organization. While WSO2 MI comes with preconfigured settings designed for general use, these settings may not be suitable for every organization's unique requirements. Customizing these settings can help optimize performance and ensure compatibility with your organization's systems and applications.
+To customize the preconfigured settings of WSO2 MI instances running on Choreo, define a deployment.toml file in the GitHub repository subpath of your Micro Integrator project:
Note
+If you change critical configuration parameters such as port offset and hostname, it can break internal communication. +Therefore, the recommended approach is to update only the necessary configuration parameters.
+Given below is a sample deployment.toml file that can be used to configure the JMS transport. For more information on WSO2 MI
+configuration parameters, see the MI Config Catalog.
[[transport.jms.sender]]
+name = "myQueueSender"
+parameter.initial_naming_factory = "org.apache.activemq.jndi.ActiveMQInitialContextFactory"
+parameter.provider_url = "$env{JMS_PROVIDER_URL}"
+parameter.connection_factory_name = "QueueConnectionFactory"
+parameter.connection_factory_type = "queue"
+parameter.cache_level = "producer"
+
+[[transport.jms.listener]]
+name = "myQueueListener"
+parameter.initial_naming_factory = "org.apache.activemq.jndi.ActiveMQInitialContextFactory"
+parameter.provider_url = "$env{JMS_PROVIDER_URL}"
+parameter.connection_factory_name = "QueueConnectionFactory"
+parameter.connection_factory_type = "queue"
+parameter.cache_level = "consumer"
+Using environment variables is a recommended practice when developing integration artifacts with WSO2 Integration Studio, as it improves configuration management, security, portability, and manageability. By leveraging environment variables, organizations can streamline the management and maintenance of their integrations, ensuring that updates can be implemented quickly and efficiently.
+The component's Deploy page provides a user-friendly interface to manage environment variables across different environments. For information on managing environment variables for complex use cases, see Configurations and secrets.
+
Environment variables offer several benefits:
+For a comprehensive list of parameters that can be configured as environment variables, see WSO2 API Manager Documentation - Injecting Parameters - Supported parameters.
+Configuring logging is crucial when developing and maintaining a software system, as it can significantly improve efficiency during the development, testing, and maintenance phases of the software development process. Logging captures events and messages that occur during an application's execution, providing valuable insights for troubleshooting and debugging issues.
+With Micro Integrator instances, you can configure and customize logging according to your requirements. Logging configurations can be added to each MI instance's environment, allowing you to fine-tune logging depending on the specific environment or deployment scenario.
+To configure logging in MI instances, follow the steps given below:
+Tip
+You can use environment variables with specific naming conventions.
+logging_level_ followed by the package or class name.Set the variable value to the required logging level for the corresponding package or class.
+For example, to enable wire logs, change the logging level of the org.apache.synapse.transport.http.wire package to debug.
To configure logging, set the environment variable as follows:
+Specify the following values as mount configurations:
+| Field | +Value | +
|---|---|
| Config Name | +An appropriate name for the configuration. | +
| Name | +logging_level_org_apache_synapse_transport_http_wire |
+
| Value | +debug |
+
Click Create.
+WSO2 Micro Integrator (MI) Connectors are prebuilt connectors designed to simplify integration between WSO2 MI and various other systems. They enable seamless connections to databases, message brokers, REST APIs, and more, allowing you to perform actions such as sending messages, executing queries, or retrieving data. These connectors are easy to use, making it straightforward to incorporate them into your WSO2 MI integration flows. Micro Integrator connectors are versatile and can be utilized in various integration scenarios, including data integration, service-oriented architecture (SOA) integration, and event-driven architecture (EDA) integration.
+WSO2 Integration Studio is a comprehensive development environment that facilitates the creation of integration flows using WSO2 Micro Integrator Connectors. With Integration Studio, you can design and implement integration flows that connect diverse systems and execute various actions, such as sending messages, executing queries, or retrieving data. You can build integration flows using either prebuilt connectors provided by WSO2 MI or custom connectors developed using the Connector Development Toolkit. Integration Studio offers a graphical user interface that simplifies the process of building and testing integration flows while also providing a set of tools for managing and deploying these flows in a WSO2 MI runtime environment.
+For more information, see the following topics in the WSO2 API Manager documentation.
+ +WSO2 MI buildpack is where you can deploy integrations developed with WSO2 Micro Integrator as an API. In this preset, you have three different ways to define endpoints. Choreo gives priory to the definition of endpoints in the below-mentioned order.
+Using component.yaml file
+This is the most flexible method to define endpoints. You can configure the endpoint details with the component.yaml configuration file. Place this file in the .choreo directory in the project path of the component.
+If the Micro Integrator project has inbound endpoints, you can expose them via different endpoints using the component.yamlfile.
To learn about the component.yaml file, see Overview of the component.yaml file.
Auto generating endpoints
+If component.yaml is not provided and if the source Micro Integrator project has APIs, Choreo scans the project and generates the API endpoints. If the project has few APIs, an endpoint will be generated for each API. The visibility of this auto-generated endpoint is set to Public by default. You can change the visibility in the deployment flow.
Provide default endpoints
+If component.yaml is not provided and if the source Micro Integrator project doesn't have APIs, Choreo generates a default endpoint which will expose the default micro integrator port (8290) with Public visibility and wildcard context.
Note
+If you are currently using component-config.yaml or endpoints.yaml configuration files, see the respective migration guide for instructions on migrating to the recommended component.yaml configuration file.
For a hands-on experience with MI-based integrations in Choreo, we recommend exploring our samples in Choreo Console. You can filter out the samples based on the buildpack WSO2 MI. This will point you to the samples in the Choreo samples GitHub repository
Fork the Repository: Start by forking the repository to your account.
+Explore & run: Navigate through the different integration scenarios. Each example has a README.md with setup and execution instructions.
+Choreo allows you to automatically scale your component replicas up or down in number based on resource consumption to ensure high availability.
+Note
+Autoscaling capabilities are only available in paid plans for private data plane organizations. +In the free tier, components run in a single-replica, low-availability mode.
+
The following parameters allow you to scale component replicas:
+2.5. There is no restriction on the value in private data planes.Tip
+If you update a scaling parameter, it may not immediately reflect in the Choreo Console because the change can take some time to propagate.
+Run a fixed number of replicas
+If you want to run exactly 3 replicas for a component, you must set the minimum and maximum replicas to 3.
Scale to zero
+0, your component does not scale to zero automatically during low usage. It can only go down to 1 replica.0 suspends the deployment.Choreo provides the scale-to-zero capability for HTTP applications you deploy in the data plane. This lets you run your components in a serverless mode.
+Scale to zero is very useful in lower environments, where you can significantly reduce infrastructure costs by scaling down idle workloads. In production environments, you can also use scale-to-zero capability if your application's behavior aligns with this feature behavior. In the paid tier, if you want to run your application with more guaranteed high availability, it is recommended to choose HPA (Horizontal Pod Autoscaler) scaling method and configure a minimum replica count of 2 or higher.
+Info
+For service components and web-apps you create after February 23, 2024, Choreo enables the scale-to-zero feature by default.
+When Scale to Zero is enabled, your apps will automatically scale down to zero unless they receive HTTP traffic. When the application receives an HTTP request, your workload quickly scales up from zero to handle the request. When a new request is received by the deployment, the deployment will scale up to one replica and serve the request. When the deployment remains idle for a set period (approximately 5 minutes), it will automatically scale back to zero until a new request is received.
+When Scale to Zero is enabled, you can set the maximum number of replicas for deployments with this capability. Choreo dynamically scales deployments up to meet high HTTP traffic demand, up to the specified number of replicas. If the pending requests surpass the defined threshold under Number of pending requests to spawn a new pod, Choreo automatically adds a new replica to handle the increased load.
+
For service components and web-apps you create after February 23, 2024, Choreo enables the scale-to-zero feature by default. When deploying or promoting the component, the deployment will automatically scale-to-zero. +Upon the next request to the deployed service, a replica will be created to serve the request.
+Note
+To enable scale-to-zero for service components created before February 23, 2024, follow the steps given below:
+In the left navigation menu, click DevOps and then click Scaling.
+If you are a free user, you will see a view similar to the one below. You can click the scale-to-zero card to enable scale-to-zero for your component.
+
If you are a paid user or you are running your applications in your own private data plane, you will see a view similar to the one below. You can click the scale-to-zero card to enable scale-to-zero for your component.
+
Note
+The scale-to-zero service should start within 60 seconds. If it doesn’t, the gateway will timeout the request.
+You can independently scale Choreo components in both the Development and Production environments. The deployment card indicates the scaling status of each environment. To configure the scale-to-zero feature for a specific environment, click on the scale-to-zero link, which redirects to the Devops → Scaling page.
+
When you turn on the scale-to-zero for your application, the minimum replicas for your app will be set to zero. However, you can still select an appropriate maximum number of replicas.
+Scheduled tasks and manually triggered components cannot connect to a service on a project scope if scale-to-zero is enabled. Attempting to do so results in the following error:
+Host not found, not forwarding request.
To allow a task-type component to invoke a project-level service, set it to HPA mode if you are on a paid plan, or to no scaling if you are on the Developer plan.
+When your Choreo application scales down to zero, an intermediary proxy service intercepts incoming requests. If a request is directed at your application, this service initiates a scale-up. Requests are held in the proxy's queue until your application becomes active. After scaling up, the proxy forwards the queued requests to your application.
+If your application remains without HTTP traffic for an extended period (default idle time is 5 minutes), it will be scaled down to zero until more HTTP requests arrive. Conversely, if there's a surge in HTTP traffic to your scaled-up application, Choreo will further increase its scale to manage the demand. Choreo considers adding additional replicas if the number of queued requests surpasses the 'Target Pending Requests' threshold, which is set to 100 by default. You can adjust this threshold in the user interface.
+Note
+The initial request after a long period of inactivity experiences a delay because the application must first scale up from zero. If your API operates in a service-chain sequence (e.g., service-1 activates service-2, which in turn calls service-3), this waiting time may extend further. If your application or its chain takes a considerable time to scale up, be aware that the first request might face a timeout.
+When Choreo enables scale-to-zero by default, it will configure the readiness probe with some default values. However, in some cases, you may observe that your first request responds with a 503 status code. To overcome these behaviors, fine-tune the readiness probe in the DevOps → Health Checks view to match your application's needs.
+ + + + + + +In Choreo, you can view detailed information about the container that comprises a component, such as its image tag, the corresponding commit ID, any imposed resource usage limits, and so on.
+Each component in Choreo is limited to a single main container.
+
Resource Limits
+Resource limits ensure that a single component does not take up more resources than it requires, which can affect other workloads on the data plane. If a process exceeds the allocated memory limit, the corresponding container will be forcefully shut down and restarted. If the process exceeds the allocated CPU limit, it gets throttled and can result in significant latencies in compute and I/O operations.
+Choreo allows you to edit the default container configuration depending on your requirement.
+Follow these steps to update container configurations:
+Apply the necessary changes and click Save.
+
The following topics walk you through the container configuration changes you can apply.
+Note
+The capability to update resource requests and limits is only available in paid pricing plans.
+To update resource requests and limits, move the corresponding slider to a required position. A resource request cannot be less than its corresponding limit.
+You can select one of the following options as the image pull policy.
+If Not Present - The image is pulled from the container registry only if a matching image is not present in the data plane.
+Tip
+The recommended option is If Not Present.
+You can specify appropriate values for the Container Port and Service Port. The Service Port is the port exposed outside of the container to your project-scoped endpoint. If you do not know the value to specify as the Service Port, specify the Container Port value in both fields.
+Tip
+You do not need to configure port values manually for Ballerina components. The capability to edit port values is primarily for containerized/Dockerfile-based components.
+You can also select an appropriate Protocol.
+You can define a command and arguments for a container when you want to provide or override the ENTRYPOINT of a container. For example, in a scenario where you want to run legacy or third-party applications, you would want to provide or override the ENTRYPOINT of a container.
When you define a command and arguments,
+ENTRYPOINT array and it is not executed within a shell. $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged.$$ are reduced to $, which allows escaping the $(VAR_NAME) syntax. This means that "$$(VAR_NAME)" produces the string literal "$(VAR_NAME)". The ENTRYPOINT of the container image is used if you do not define a command and arguments for the container.
All components you create in Choreo have a default read-only file system, which you cannot access or write to from your applications.
+Volume mounts allow you to create either temporary or persisted writable file system storage locations for your applications.
+| Type | +Description | +
|---|---|
| Empty Directory (In-Memory) | +A fast, temporary in-memory (tmpfs) storage location. This volume gets erased when you restart or remove the attached container. Available on all data planes. | +
| Empty Directory (Disk) | +A temporary storage location on disk. This volume gets destroyed when you restart or remove the attached container. Only available on private data planes. | +
| Persistent Volume | +A permanent storage location. This volume persists even if you restart or remove the attached container. Only available on private data planes. | +
Tip
+All components have a writable location in the /tmp directory at the time of component creation. You can also configure other writable locations if required.
Empty directory (in-memory or on-disk) mounts allow you to create temporary file systems that your application can read from and write to. This option provides a convenient way to create a scratch space to write files temporarily before storing them in a more permanent storage location such as a cloud-backed storage bucket. +For example, unzipping a file, temporarily writing results from a memory-intensive operation to disk, a temporary local cache, etc. +However, it is important to note that these volumes destroy when you restart or update a container because the volumes are attached to the lifetime of a container.
+Follow these steps to create a temporary storage space for your container:
+
Click Next.
+In-memory (tmpfs) storage uses up container memory
+Storage capacity for this type of volume will count against the container's memory limit.
+Uncontrolled writes to this location may starve your application process of memory and can result in the container getting killed and restarted if the memory limits exceed.
To add a mount location, specify a Mount Path and click Add mount.
+Tip
+
Click Create. This applies the volume mount immediately to your container and triggers a rolling restart.
+Follow these steps to create a persistent storage space for your container:
+Note
+Persistent volume options are only available in private data plane organizations.
+Select an appropriate Access Mode.
+Check and specify an access mode supported by the storage class
+
Click Next.
+To add a mount location, specify a Mount Path and click Add mount.
+Tip
+Click Create. This applies the volume immediately to your container.
+Secure access to private networks from the Choreo cloud data plane is an essential use case for cloud data plane users.
+Choreo allows this secure connection using Tailscale. For this, Choreo provides a prebuilt Tailscale image component that can act as a forward proxy, which you can deploy in your Choreo project as a service. This service allows you to forward traffic to your external networks via Tailscale’s peer-to-peer WireGuard network.
+The following diagram illustrates the high-level deployment architecture of the Tailscale pre-installed forward proxy:
+
Let's take a look at the specifics of each part to understand the deployment architecture.
+Choreo project
+In Choreo, a project groups various components. For more information on what a project in Choreo is, see the documentation on Project.
+Tailscale proxy
+This acts as the Tailscale pre-installed forward proxy, facilitating secure peer-to-peer WireGuard connections from the Choreo cloud data plane to private networks. It includes a Tailscale Daemon, SOCKS5 proxy, and a configurable TCP forwarder.
+Tailscale daemon
+This is the core component of Tailscale. It is a software service that provides secure network connectivity and private networking solutions. For more details see the Tailscale documentation.
+SOCKS5 proxy
+This uses Tailscale’s userspace networking mode, rather than the kernel mode. Therefore, the inbuilt SOCKS5 proxy handles the forwarded traffic and directs it through the Tailscale network.
+TCP forwarder
+Forwards inbound TCP (transmission control protocol) traffic from the Tailscale proxy container’s network interface to the SOCKS5 proxy, ensuring it reaches its destination via the secured WireGuard tunnel.
+User applications and the Choreo API gateway
+User applications within the same namespace (project) can use the Kubernetes service created to front the Tailscale proxy, for connecting to the corresponding private endpoints. You can either expose this service within the organization via the internal API gateway or expose it to the public via the external API gateway. For more details, see the documentation on Choreo endpoints.
+Now that you understand the deployment architecture, let’s explore how you can use Tailscale to secure connections to your private networks.
+This section walks you through the steps to create, configure, deploy, and use the Tailscale proxy component.
+
Let's get started.
+If you are signing in to the Choreo Console for the first time, create an organization as follows:
+Stark Industries.This creates the organization and opens the organization home page.
+Follow the steps given below to create a project:
+Enter a display name, unique name, and description for the project. You can enter the values given below:
+Info
+In the Name field, you must specify a name to uniquely identify your project in various contexts. The value is editable only at the time you create the project. You cannot change the name after you create the project.
+| Field | +Value | +
|---|---|
| Project Display Name | +Tailscale Proxy Project | +
| Name | +tailscale-proxy-project | +
| Project Description | +My Tailscale project | +
Click Create. This creates the project and takes you to the project home page.
+Enter a display name, component name, and a description for the service. For this guide, let's enter the following values:
+| Field | +Value | +
|---|---|
| Component Display Name | +Tailscale proxy | +
| Component Name | +tailscale-proxy | +
| Description | +Tailscale proxy component | +
Click the Container Registry tab.
+Now you have successfully created the Tailscale proxy. You can proceed to configure and deploy it.
+Here, you will add the required volume mounts, set the Tailscale authentication key, configure the TCP forwarder, configure endpoints, and deploy the Tailscale proxy. Follow the steps given below:
+Tailscale requires the following volume mounts for its operations:
+/var/run/tailscale/.localTo create the volume mounts, follow the step-by-step instructions in Configure Storage.
+To configure and deploy the component, follow the steps given below:
+TS_AUTH_KEY environment variable as a secret. To add the environment variable, you must obtain an authentication key from your Tailscale network.To mount a configuration file to the Tailscale proxy component and specify the port mapping for the TCP forward proxy running there, do the following:
+/config.yaml as the Mount Path.Specify the following in the sample configuration file: +
+Note
+In this sample configuration, the TCP traffic arriving at port 8080 on your Tailscale proxy will be forwarded to port 8090 on the node with IP address 100.108.78.93 in your Tailscale network. Similarly, port 8081 will map to the corresponding address. You can find the IP addresses of your nodes on the Tailscale machines page in your Tailscale network's admin console or via the Tailscale clients running on your machine.
+Click Next.
+In the Endpoints pane that opens, click + Add and edit the endpoints.yaml configuration to expose your Tailscale proxy as a service. The following is a sample endpoints.yaml configuration you can use:
Note
+The sample endpoints.yaml file given below defines two project-level endpoints. These endpoints can be used by other components within the same project to access the services. If you want to directly expose your private endpoint via the Choreo gateway either with the Public or Organization visibility, you can set the networkVisibility property of the endpoint to Public or Organization.
Click Save.
+Click Next and then click Deploy.
+Note
+Deploying the component may take a while. You can track the progress by observing the logs. Once the deployment is complete, the build status changes to Active on the Development environment card.
+When the component is deployed, you can observe a new node connected to your Tailscale network. To view this, go to the Tailscale machines page of your Tailscale coordination server.
+Now you have successfully deployed the Tailscale proxy in your project and it is connected to your Tailnet. You can proceed to use the Tailscale proxy to provision access for other components to securely access private network endpoints.
+You can configure endpoints of the Tailscale proxy to use it for various aspects within Choreo.
+Tailscale nodes have a default node key expiry time of 180 days. Nodes require re-authentication after key expiry to avoid connection losses and application downtime. There is an option to disable node key expiry if necessary. For more details, see Node key expiry documentation.
+Auth keys are used to register new nodes into your Tailscale network. The default expiry time for auth keys is 90 days, but nodes remain connected even after auth key expiry. This becomes an issue only if the Tailscale Proxy component is redeployed or restarted.
+If you want to add a new private endpoint to your network and access it via the same Tailscale proxy within Choreo, you must add a new port mapping entry in the port mapping configuration of your Tailscale proxy deployment.
+Since the Tailscale proxy acts as a forward proxy, it is important to configure health checks. You can use one of the open ports of the TCP forwarder as a health endpoint. For details on how to set up health probes in Choreo, see Set up health checks.
+You can use Tailscale ACLs to precisely manage permission for users and devices on your Tailnet.
+It is recommended to disable Scale-to-Zero for the Tailscale proxy because it acts as a forward proxy and should always be up and running to make consistent connections with the Tailscale VPN mesh. +If you enable Scale-to-Zero, you may experience service downtime.
+To achieve high availability and resiliency for the Tailscale proxy, you must run multiple replicas with HPA. To configure multiple replicas for the Tailscale proxy component, go to the Scaling page under DevOps. For more details, see Autoscale component replicas
+Before deploying the Tailscale proxy in production environments, it is recommended to follow the Tailscale production best practices and security best practices.
+Note
+Choreo blocks incoming connections from other nodes in your Tailnet to the Tailscale proxy to prevent access to your project’s namespace in the Choreo cloud data plane.
+For assistance in resolving common Tailscale proxy issues, see Troubleshoot Tailscale proxy issues.
+ + + + + + +Choreo allows you to easily manage and version your component's configurations and secrets as file mounts or environment variables.
+Note
+All configurations and secrets applied to a Choreo component are stored in an encrypted secret vault in the cloud data plane, which is managed by WSO2. +If you are on a private data plane, the configurations and secrets are stored in an Azure key vault or AWS secret manager attached to your data plane in your cloud environment.
+Choreo considers all configurations and secrets to be sensitive content when storing them, but gives you the option to choose between secret or configuration when you create a file mount or an environment variable.
+Configurations can be read and updated via the Choreo Console after you create them.
+Note
+If you want to include sensitive data such as database passwords, cloud credentials, service accounts, and so on, the recommended approach is to use a secret instead of a configuration.
+Follow these steps to apply a file mount to a component you have created:
+If you want to create the file mount as a secret, select Mark as a Secret. Otherwise, proceed to the next step.
+Note
+If you create the file mount as a secret, you will not be able to read the file content after you create the file mount.
+In the Display Name field, specify a name for the file mount.
+Tip
+The display name does not affect the file mount or its content. It is only a reference to identify the configuration or secret you create.
+In the File Mount Path field, specify where to mount the file inside the container. Use an absolute file path with the file name and extension if applicable.
+Tip
+The file name in the mount path does not need to match the configuration name or the name of the file you upload.
+Upload a configuration file or copy and paste the configuration content into the editor.
+Click Create.
+Note
+Configurations and secrets are applied immediately to your environment on creation. To ensure that the container reflects the new content, your existing running replicas undergo a rolling restart.
+Follow these steps to apply environment variables to a component you have created:
+If you want to create the environment variable values as secrets, select Mark as a Secret. Otherwise, proceed to the next step.
+Note
+If you create environment variables as secrets, you will not be able to read the values you set for the environment variables after you create them.
+In the Display Name field, specify a name to identify the configuration or secret.
+Tip
+The display name you specify does not affect the environment variables you set. It is only a reference to identify the configuration or secret you create.
+Under Add Environment Variables, specify the necessary environment variables as key-value pairs. You can click Add Item to add any number of environment variables.
+Click Create.
+Follow these steps to update a configuration or secret you have defined:
+Follow these steps to delete a configuration or secret you have defined:
+Choreo manages the Ballerina configurables for the Ballerina components you create.
+When you deploy or promote a Ballerina application, you can modify the Ballerina configurables via the Deploy page.
+Tip
+You can use configurables instead of environment variables to add file mounts to a Ballerina component. + Environment variables are primarily for components written in other languages.
+By default, all projects created in the cloud data planes (irrespective of the data plane region) are provisioned with two environments (i.e., development and production).
+The environments are listed in the order of deployment and promotion. The initial deployment takes place in the first environment and you can proceed to promote a component to subsequent environments.
+ENVIRONMENT-MANAGEMENT permission. By default, ENVIRONMENT-MANAGEMENT permission is granted to Admin and Choreo DevOps roles.To create a new environment, follow the steps given below:
+On the Environments page, click Create and specify the following details to create a new environment:
+Data Plane - The data plane to create the new environment.
+Tip
+The Data Plane list displays all the private data planes registered under your organization.
+DNS Prefix: A DNS prefix to identify the exposed APIs in the environment. Here, the base domain depends on the custom domain attached to the API gateways provisioned on the selected data plane.
+Mark environment as a Production environment: Select if you want this environment to be a production environment.
+Tip
+In Choreo, you can have multiple non-production and production environments. To work in a production environment, you must have privileged permissions to access and deploy to production environments.
+The order in which environments are listed on the Environments page is the same order in which promotion takes place.
+To change the order of promotion across environments in an organization, follow the steps given below:
+On the Environments page, click and drag environment list items to rearrange the order of listed environments.
+Note
+Although changes to the order of promotion for environments are applied immediately, the change does not affect the components already running in environments. Only subsequent builds and promotions will follow the new order.
+To see the changes, go to the Deploy page of a component (in any project).
+To delete an environment, follow the steps given below:
+Warning
+Environment deletion is a permanent, non-reversible operation.
+Health checks ensure that a running container is always healthy and ready to serve traffic.
+Liveness probes run periodically on your container and restart if the probe fails. +This allows the container to self-heal in scenarios where the application may have crashed or become unresponsive.
+Similar to liveness probes, readiness probes run periodically throughout the lifecycle of a container. +However, unlike liveness probes, these probes do not restart the container if the probe fails. Instead, they stop the container from receiving network traffic.
+Readiness probes on single replicas
+You must be mindful when you configure readiness probes on a single-running replica. If the readiness probe fails, your application stops receiving traffic because there is only one active replica. The application may not recover unless the liveness probe fails and restarts the container.
+You can configure the following probe types for both readiness and liveness probes.
+GET request¶This probe sends an HTTP GET request to a specified port and path on the container. A response status code in the range of 200-399 indicates that the request is a success.
Depending on your requirement, you can configure additional HTTP headers.
+The recommended approach is to create a /healthz or /health endpoint in your service for this purpose.
This probe attempts to open a socket to the container on the specified port. If it cannot establish a TCP connection, it becomes a failure.
+This probe executes a given script inside the container. A non-zero return from the command is considered a failure.
+For example, ["cat", "/tmp/healthy"] is considered healthy if the file /tmp/healthy is present. If not, it becomes a failure (non-zero exit code).
+In such scenarios, the application is responsible for writing and maintaining this file in the specified location.
Follow these steps to configure liveness and readiness probes on a container:
+Configure the liveness probe depending on your requirement.
+
Click Save.
+Click Save.
+Note
+You can update or remove a probe at any time.
+Follow these steps to ensure that the container works as expected:
+In Choreo, you can view details about running replicas of a component in a specific environment (i.e., Development or Production).
+To view the runtime details of a component, follow the steps given below:
+
The runtime details you can see here are analogous to a zoomed-in view of a specific environment on the Deploy page.
+The following topics walk you through the specific details you can view and actions you can perform via the Runtime page.
+On the Runtime page, you can click Redeploy Release to immediately redeploy all resources, including configurations and secrets, to a specific environment. This triggers a rolling update to sync all the latest changes to the data plane.
+What is a release?
+A release in Choreo uniquely identifies an underlying deployment of a component to an environment for a given version. For example, if you deploy a component to two environments across two versions, the component will have four active releases.
+The capability to redeploy a release also allows you to quickly restart all the running replicas of a component in a specific environment.
+The running instances you see on the Runtime page provide insights into the active replicas of your component in the selected environment.
+If you want to see the real-time logs and information on conditions and events of a replica, click the menu icon of the replica and then click Real-time Logs or Conditions & Events depending on what you need to view. These options provide insights that help to diagnose issues in deployments.
+
Note
+Unlike the logs available in the Observability Metrics of a component, these logs are fetched in real-time from the data plane and are not historical. Therefore, you can only see logs of active containers and the last shutdown container.
+
Conditions and events provide information necessary to troubleshoot failing deployments.
+
If a component is not behaving as expected and you cannot detect any issues via the application logs, these events can provide necessary debugging information, such as the following:
+Generative AI (GenAI) services leverage advanced machine learning models to create original content such as text, images, music, or code, by identifying and learning patterns from existing data. Powered by deep neural networks and other machine learning models, these services can generate human-like outputs in various formats. This versatility makes GenAI ideal for tasks such as content creation, image generation, conversation automation, etc.
+Choreo enables seamless integration with GenAI services, allowing you to incorporate these capabilities within your applications.
+To use a GenAI service in Choreo, you need to register it. Once registered, the service becomes available in the Internal Marketplace, allowing you to consume it via a Connection.
+You can register a GenAI service at two levels:
+Before registering a GenAI service, obtain the following details from the service provider: + - API key. + - Service URL. + - Other necessary parameters. For example, client credentials.
+To register a GenAI service, follow these steps:
+Note
+Ensure that you register the service at the appropriate level depending on the usage. If the service must be shared among multiple projects, register it at the organization level. Otherwise, register it at the project level.
+Under Register Service, enter the following details for the service:
+Click Next.
+Under Add Configurations, enter details for the service. + !!! note + - The configuration details to enter vary depending on the selected service provider. + - To successfully register a service, ensure you provide all the required configurations.
+Click Register.
+Once registered, the GenAI service is automatically listed in the Internal Marketplace.
+If you want to remove the service from the Internal Marketplace, see Remove a GenAI service from the Internal Marketplace.
+The GenAI services you register are discoverable via the Internal Marketplace for you to consume via a Connection.
+For details on consuming a GenAI service via a connection, see Create a Connection.
+When you create a GenAI service, it gets listed in the GenAI Services list.
+To view or update a GenAI service, follow these steps.
+Info
+To add a GenAI service to the Internal Marketplace, you must provide all the required configurations.
+This removes the service from the Internal Marketplace. Therefore, the service will not be available to consume via a Connection. However, the connections created before removal will continue to work as expected.
+ + + + + + +Third-party services are external applications, platforms, or APIs you can integrate with your system to enhance its functionality, extend capabilities, or provide specialized features. These services are developed and maintained by external entities, providing expertise in specific domains outside your application's core focus.
+The following topics walk you through the steps to seamlessly register, manage, and consume third-party services, adhering to API-first principles.
+To use a third-party service in Choreo, you need to register it. Once registered, the service becomes available in the Internal Marketplace, allowing you to consume it via a Connection.
+You can register a third-party service at two levels:
+Choreo allows you to register the following third-party service types:
+Before registering a third-party service, obtain the following details from the service provider:
+To register a third-party service, follow these steps:
+Note
+Ensure you register the service at an appropriate level depending on the service usage. If the service must be shared among multiple projects, register it at the organization level. Otherwise, register it at the project level.
+Now you are ready to define endpoints for the service.
+An endpoint is a set of parameters required to connect to a service. The required parameters are service URL, API key header, etc. +These parameters provide the necessary information for a client application to interact with the service.
+To define service endpoints, follow these steps:
+Under Define New Endpoint,
+Under Additional Parameters, add any other parameters required to connect to the service. + For example, API key, authorization token, etc.
+Note
+Select the environments where the endpoint should be accessible.
+Note
+Service consumers can create connections to the endpoint only from the selected environments.
+Click OK.
+If you want to add more endpoints, click + New Endpoint and repeat steps 1 to 4.
+Click Register.
+When you define all required parameter values for at least one endpoint, the service will be automatically listed in the Internal Marketplace. Otherwise, you must add the service to the Internal Marketplace after providing the endpoint values.
+If you want to remove a third-party service from the Internal Marketplace, see Remove a third-party service from the Internal Marketplace.
+For details on managing third-party services, see Manage third-party service.
+The third-party services you register are discoverable via the Internal Marketplace to consume via a Connection.
+For details on consuming a third-party service via a connection, see Create a Connection.
+When you create a third-party service, it gets listed in the Third-Party Services list.
+To view or update a third-party service, follow these steps.
+Info
+To add a third-party service to the Internal Marketplace, you must provide all required parameters for at least one endpoint.
+This removes the service from the Internal Marketplace. Therefore, the service will not be available to consume via a Connection. However, the connections created before removal will continue to work as expected.
+ + + + + + +When you create a Choreo-managed database or cache, you can add it to the Marketplace, making it available for consumption through a connection.
+Note
+To add a Choreo-managed database or cache to the Marketplace, you must register at least one credential for it.
+When you create a database or cache server, you get super admin credentials by default. You can use these credentials to create new user credentials. The steps to create new user credentials depend on the type of database or cache you are using.
+You can register either the default super admin credentials or any custom credentials you create using the super admin credentials.
+To register credentials for a database, follow these steps:
+Tip
+Choreo allows you to delete registered credentials to prevent their use when establishing new connections. However, deleting credentials will not affect any existing database connections that are already using them.
+Once the database is added to the Marketplace, it can be consumed via a connection. For details on creating a connection to a Choreo-managed database, see Create a connection to a database.
+Note
+To remove a database or cache that you added to the Marketplace, click the corresponding Remove from Marketplace. This action prevents new connections to the removed database, but existing connections remain unaffected.
+For details on using a database connection in your component, see Use a Database Connection in Your Component.
+ + + + + + +Any platform services you create within your Choreo Organization will be included in your current Choreo subscription. The quantity included will vary depending on the service plan of the resources you create.
+A few important considerations:
+Try out the free trial
+Choreo provides a 7 day free trial for all database types on the 'Hobbyist' service plan (for free tier users).
+Fully compatible with legacy Redis® OSS.
+Choreo-Managed Cache provides fully-managed in-memory NoSQL databases on AWS, Azure, GCP, and Digital Ocean and can be used as a cache, database, streaming engine, or message broker.
+Follow the steps below to create a Choreo-Managed Cache:
+To connect to your Choreo-Managed Cache, follow these guidelines:
+The high availability and the automatic backup retention periods for a Choreo-Managed Cache can vary as follows depending on the service plan you select.
+| Service plan | +High availability | +Backup features | +Backup history | +
|---|---|---|---|
| Hobbyist | +Single-node with limited availability. | +Single backup only for disaster recovery | +None | +
| Startup | +Single-node with limited availability. | +Single backup only for disaster recovery | +1 day | +
| Business | +Two-node (primary + standby) with higher availability (automatic failover if the primary node fails). | +Automatic backups | +3 days | +
| Premium | +Three-node (primary + standby + standby) with highest availability (automatic failover if the primary node fails). | +Automatic backups | +13 days | +
In general, service plans are recommended for production scenarios due to the following reasons:
+Minor failures: Choreo automatically handles minor failures such as service process crashes or temporary loss of network access in all plans without requiring significant changes to the service deployment. Choreo automatically restores the service to normal operation once it automatically restarts the crashed process or when it restores the network access.
+Severe failures: Failures such as losing a node entirely in case of hardware or severe software problems, require more drastic recovery measures. The monitoring infrastructure automatically detects a failing node when the node starts reporting issues in the self-diagnostics or when it stops communicating. In such cases, the monitoring infrastructure automatically schedules a new replacement node to be created.
+The number of simultaneous connections in a Choreo-Managed Cache depends on the total available memory on the server instances.
+You can use the following to estimate:
+ + +Here, m represents the memory in megabytes, where at least 10,000 connections are available, even on the smallest servers.
+For example, on a server with 4GB memory (4,096 MB), the simultaneous connections are:
This number is estimated by the exact available memory so it can vary between different plans and cloud providers. To see the exact maximum connections allowed, use the * redis-cli and info command as follows:
+ + +To maintain the stability and security of a managed environment, Choreo restricts certain commands on Choreo-Managed Cache services.
+Support for Lua scripts on Choreo-Managed Cache
+EVAL, EVALSHA, and SCRIPT LOAD commands.EVAL, EVALSHA, and SCRIPT LOAD commands are enabled by default.The following commands are disabled on Choreo:
+bgrewriteaof: Initiates a background append-only file rewrite.cluster: Manages Caching cluster commands.command: Provides details about all Caching commands.debug: Contains sub-commands for debugging Caching.failover: Manages manual failover of a master to a replica.migrate: Atomically transfers a key from one caching instance to another.role: Returns the role of the instance in the context of replication.slaveof: Makes the server a replica of another instance, or promotes it as master.acl: Manages caching access control lists.bgsave: Creates a snapshot of the data set into a dump file.config: Alters the configuration of a running caching server.lastsave: Returns the UNIX timestamp of the last successful save to disk.monitor: Streams back every command processed by the Caching server.replicaof: Makes the server a replica of another instance.save: Synchronously saves the dataset to disk.shutdown: Synchronously saves the dataset to disk and then shuts down the server.The following eval commands are also disabled:
eval: Executes a Lua script server-side.eval_ro: Read-only variant of the eval command.evalsha: Executes a script cached on the server side by its SHA1 digest.evalsha_ro: Read-only variant of the evalsha command.fcall: Calls a Caching function.fcall_ro: Read-only variant of the fcall command.function: Manages Caching functions.script: Manages the script cache.Choreo allows you to create PostgreSQL and MySQL databases as well as Choreo-Managed Cache instances on all major cloud providers (AWS, Azure, GCP, and DigitalOcean) as fully Choreo-managed platform services. +These databases and caches can be seamlessly provisioned to offer persistence and caching capabilities for all your Choreo components. Choreo provides various service plans for each type, ranging from smaller instances for development purposes to production-grade databases with automatic backups and high-availability multi-nodes.
+PostgreSQL (also known as Postgres), is an open-source object-relational database management system. You can create PostgreSQL databases on Choreo as fully Choreo-managed, flexible SQL databases that are ideal for both structured and unstructured data. If you want to perform an efficient vector similarity search, you can create a PostgreSQL vector database.
+ +MySQL is a user-friendly, flexible, open-source relational database management system with a well-established history in the SQL database realm. Choreo allows you to swiftly create fully Choreo-managed MySQL databases, enabling rapid setup and utilization.
+ +A fully-managed cache compatible with legacy Redis® OSS. A versatile, in-memory NoSQL database that serves as a cache, database, streaming engine, and message broker. Choreo-managed Cache allows you to have fully-managed instances that can be swiftly provisioned and integrated into your applications within minutes.
+ ++ PostgreSQL, MySQL, and Redis® are trademarks and property of their respective owners. All product and service names used in this documentation are for identification purposes only. +
+ + + + + + +MySQL on Choreo offers fully managed, flexible relational databases on AWS, Azure, GCP, and Digital Ocean.
+Follow the steps below to create a Choreo-managed MySQL database:
+To connect to your Choreo-managed MySQL database, consider the following guidelines:
+The high availability characteristics and the automatic backup retention periods for Choreo-managed MySQL databases vary based on your service plan as explained below:
+| Service Plan | +High Availability | +Backup Retention Time | +
|---|---|---|
| Hobbyist | +Single-node with limited availability | +None | +
| Startup | +Single-node with limited availability | +2 days | +
| Business | +Two-node (primary + standby) with higher availability | +14 days | +
| Premium | +Three-node (primary + standby + standby) with highest availability | +30 days | +
In general, we recommend service plans for production scenarios for multiple reasons: +- Provides another physical copy of the data in case of hardware, software, or network failures. +- Typically reduces the data loss window in disaster scenarios. +- Provides a quicker time to restore with a controlled failover in case of failures, as the standby is already installed and running.
+Choreo runs full backups daily to automatically back up Choreo-managed MySQL databases and record binary logs continuously. +Choreo encrypts all backups at rest.
+Choreo automatically handles outages and software failures by replacing broken nodes with new ones that resume correctly from the point of failure. The impact of a failure will depend on the number of available standby nodes in the database.
+The maximum number of simultaneous connections to MySQL databases is fixed for each service plan and depends on how much RAM your service plan offers.
+Note
+An extra_connection with a value of 1 is added for system processes for all MySQL databases, regardless of the service plan.
For plans under 4 GiB of RAM, the number of allowed connections is 75 per GiB:
For plans with 4 GiB or more RAM, the number of allowed connections is 100 per GiB:
PostgreSQL on Choreo offers fully Choreo-managed, efficient object-relational databases on AWS, Azure, GCP, and Digital Ocean. Additionally, Choreo allows you to create fully-managed PostgreSQL vector databases if you want to perform efficient vector similarity search.
+Follow the steps below to create a Choreo-managed PostgreSQL database:
+Follow the steps below to create a Choreo-managed PostgreSQL vector database:
+To connect to your Choreo-managed PostgreSQL database, consider the following guidelines:
+The high availability characteristics and the automatic backup retention periods for Choreo-managed PostgreSQL databases vary based on the selected service plan as shown below.
+| Service Plan | +High Availability | +Backup Retention Time | +
|---|---|---|
| Hobbyist | +Single-node with limited availability | +None | +
| Startup | +Single-node with limited availability | +2 days | +
| Business | +Two-node (primary + standby) with higher availability | +14 days | +
| Premium | +Three-node (primary + standby + standby) with highest availability | +30 days | +
Service plans with standby nodes are generally recommended for production scenarios for multiple reasons: +- Provides another physical copy of the data in case of hardware, software, or network failures. +- Typically reduces the data loss window in disaster scenarios. +- Provides a quicker time to restore with a controlled failover in case of failures, as the standby is already installed and running.
+Choreo runs full backups daily to automatically back up Choreo-managed PostgreSQL databases and copies the write-ahead logs (WAL) at 5-minute intervals or for every new file generated. +Choreo encrypts all backups at rest.
+Choreo automatically handles outages and software failures by replacing broken nodes with new ones that resume correctly from the point of failure. The impact of a failure will depend on the number of available standby nodes in the database.
+Minor failures: Choreo automatically handles minor failures such as service process crashes or temporary loss of network access in all plans without requiring significant changes to the service deployment. Choreo automatically restores the service to normal operation once Choreo automatically restarts the crashed process or when Choreo restores the network access.
+Severe failures: To handle severe failures such as losing a node entirely in case of hardware or severe software problems, requires more drastic recovery measures. The monitoring infrastructure automatically detects a failing node, both when the node starts reporting issues in the self-diagnostics or when it stops communicating. In such cases, the monitoring infrastructure automatically schedules a new replacement node to be created.
++++
+- In the event of database failover, the Service URI of your service remains the same; only the IP address will change to point to the new primary node.
+- Hobbyist and Startup plan provide a single node, and in case of failure, a new node starts up, restores its state from the latest available backup, and resumes serving traffic. +In this plan, as there is just a single node providing the service, the service will become unavailable for the duration of the restoration. In addition, any write operations made since the backup of the latest WAL file will be lost. Typically, this time window is limited to either five minutes of time or one WAL file.
+
The following connection limits apply to Choreo-managed PostgreSQL databases based on the selected service plan.
+| Service Plan | +Max Connections | +
|---|---|
| Hobbyist | +25 | +
| Startup/Business/Premium-4 | +100 | +
| Business-16 | +400 | +
| Premium-8 | +200 | +
Choreo allows you to create Apache Kafka services across major cloud providers (AWS, Azure, GCP, and DigitalOcean) as Choreo-managed platform services for your message brokering needs. These fully managed Kafka instances can seamlessly integrate with Choreo components, providing scalable messaging for real-time data pipelines and event-driven applications. Choreo offers multiple Kafka service plans, ranging from lightweight instances for development purposes to production-grade clusters with automatic backups, high-availability multi-nodes, and partitioning.
+Note
+Apache Kafka is an open-source platform for real-time event streaming and handling large-scale, event-driven data. You can create Kafka services on Choreo as fully-managed, scalable, message brokers, ideal for handling large volumes of event-driven data.
+ + + + + + + +After creating a Kafka service, you can create topics, configure advanced settings, and manage access to ensure secure and efficient message processing.
+Kafka topics are logical channels used to organize and transfer messages between producers and consumers. They form the core of Kafka's architecture, enabling data streams to be written and read. Kafka topics can also be partitioned to improve scalability and fault tolerance.
+To create a Kafka topic, follow these steps:
+Choreo allows you to customize settings for Kafka topics, including the number of partitions, replication factor, cleanup policy, retention size (bytes), retention duration (hours), and the minimum number of in-sync replicas.
+Cleanup Policy: Determines how messages that reach their retention limit are handled. There are three options:
+Replication: Sets the number of partition copies to ensure data durability. The default is 3.
+Partitions: Defines the number of segments the topic should be divided into for parallel processing. The default is 1 partition.
+Retention Bytes: Sets the maximum size of retained messages. Older messages are discarded on reaching this limit. The default is unlimited (-1).
+Retention Hours: Defines the retention period for messages before deletion. The default is 168 hours (7 days).
+Min In-Sync Replicas: Specifies the minimum number of replicas that must acknowledge a write for it to be considered successful. The default is 2.
+Choreo-managed Kafka services use access control lists (ACLs) and user definitions to control access to topics. You can manage users and ACL entries from the corresponding tabs on the Kafka service details page.
+To manage users for a Choreo-managed Kafka service, follow these steps:
+By default, new users do not have any permissions. You can grant necessary permissions to users through access control lists (ACLs).
+An ACL entry defines access permission for a user. Each entry includes:
+To add an ACL entry, follow these steps:
+Kafka on Choreo offers fully managed, distributed message broker services across AWS, Azure, GCP, and DigitalOcean. These services are designed to handle high-throughput, fault-tolerant data streaming use cases such as real-time analytics, event sourcing, and log aggregation.
+Note
+Follow the steps below to create a Choreo-managed Kafka service:
+To connect to your Choreo-managed Kafka service, use the connection parameters from the Overview tab on the service details page. Choreo secures Kafka connections via client certificate authentication.
+
To use the Kafka service with producer and consumer applications, you must configure them with the provided credentials and connection parameters.
+By default, Kafka services accept traffic from the internet. However, if you want to restrict access to specific IP addresses or CIDR blocks, you can configure the necessary advanced settings.
+To use the Kafka service in producer and consumer applications, you must add the required parameters as configurations and secrets in Choreo. You can obtain the parameter values from the Overview tab on the service details page and include key configurations such as the access key, access certificate, CA certificate, and service URI. Ensure you create a topic before producing or consuming Kafka messages. If a topic already exists, you can proceed.
+Follow these steps to set up required configurations and secrets:
+Define the required configurations and secrets at the component level for each.
+ You can configure the service.key, service.cert, and ca.pem using file mounts. The following sample implementation uses a file mount for the CA certificate. You can follow the same approach for the other files.
Set other configurations, such as TOPIC_NAME and SERVICE_URI as environment variables. You can define these as shown in the following sample implementation.
package main
+
+ import (
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
+ "log"
+ "os"
+ "time"
+
+ "github.com/segmentio/kafka-go"
+ )
+
+ // loadPEMFromFile reads a PEM file from the specified file path.
+ func loadPEMFromFile(filePath string) ([]byte, error) {
+ data, err := os.ReadFile(filePath)
+ if err != nil {
+ return nil, fmt.Errorf("failed to read file %s: %w", filePath, err)
+ }
+ return data, nil
+ }
+
+ // loadCertificates loads the necessary certificates for TLS configuration.
+ func loadCertificates() (tls.Certificate, *x509.CertPool, error) {
+ serviceCert, err := loadPEMFromFile("/service.cert")
+ if err != nil {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to load service cert: %v", err)
+ }
+
+ serviceKey, err := loadPEMFromFile("/service.key")
+ if err != nil {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to load service key: %v", err)
+ }
+
+ caCert, err := loadPEMFromFile("/ca.pem")
+ if err != nil {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to load ca cert: %v", err)
+ }
+
+ keypair, err := tls.X509KeyPair(serviceCert, serviceKey)
+ if err != nil {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to load key and cert: %v", err)
+ }
+
+ caCertPool := x509.NewCertPool()
+ if !caCertPool.AppendCertsFromPEM(caCert) {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to append ca cert")
+ }
+
+ return keypair, caCertPool, nil
+ }
+
+ // createKafkaDialer initializes a Kafka dialer with the provided certificates and CA pool.
+ func createKafkaDialer(keypair tls.Certificate, caCertPool *x509.CertPool) *kafka.Dialer {
+ return &kafka.Dialer{
+ Timeout: 10 * time.Second,
+ DualStack: true,
+ TLS: &tls.Config{
+ Certificates: []tls.Certificate{keypair},
+ RootCAs: caCertPool,
+ },
+ }
+ }
+
+ // setupKafkaProducer initializes and returns a Kafka producer.
+ func setupKafkaProducer(dialer *kafka.Dialer, serviceURI, topicName string) *kafka.Writer {
+ return kafka.NewWriter(kafka.WriterConfig{
+ Brokers: []string{serviceURI},
+ Topic: topicName,
+ Dialer: dialer,
+ })
+ }
+
+ // sendMessages sends a specified number of messages to the Kafka topic.
+ func sendMessages(producer *kafka.Writer, count int) {
+ for i := 0; i < count; i++ {
+ message := fmt.Sprintf("Hello from Go using SSL %d!", i+1)
+ err := producer.WriteMessages(context.Background(), kafka.Message{Value: []byte(message)})
+ if err != nil {
+ log.Printf("failed to send message: %v", err)
+ } else {
+ log.Printf("message sent: %s", message)
+ }
+ time.Sleep(time.Second)
+ }
+ }
+
+ func main() {
+ // Load environment variables
+ serviceURI := os.Getenv("SERVICE_URI")
+ if serviceURI == "" {
+ log.Fatalln("service uri is not set")
+ }
+
+ topicName := os.Getenv("TOPIC_NAME")
+ if topicName == "" {
+ log.Fatalln("topic name is not set")
+ }
+
+ // Load certificates and configure TLS
+ keypair, caCertPool, err := loadCertificates()
+ if err != nil {
+ log.Fatalf("failed to load certificates: %v", err)
+ }
+
+ // Create Kafka dialer
+ dialer := createKafkaDialer(keypair, caCertPool)
+
+ // Set up Kafka producer
+ producer := setupKafkaProducer(dialer, serviceURI, topicName)
+ defer func() {
+ if err := producer.Close(); err != nil {
+ log.Printf("failed to close producer: %v", err)
+ }
+ }()
+
+ // Send messages
+ sendMessages(producer, 100)
+ }
+ package main
+
+ import (
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
+ "log"
+ "os"
+ "time"
+
+ "github.com/segmentio/kafka-go"
+ )
+
+ // loadPEMFromFile reads a PEM file from the specified file path.
+ func loadPEMFromFile(filePath string) ([]byte, error) {
+ data, err := os.ReadFile(filePath)
+ if err != nil {
+ return nil, fmt.Errorf("failed to read file %s: %w", filePath, err)
+ }
+ return data, nil
+ }
+
+ // loadCertificates loads the necessary certificates for TLS configuration.
+ func loadCertificates() (tls.Certificate, *x509.CertPool, error) {
+ serviceCert, err := loadPEMFromFile("/service.cert")
+ if err != nil {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to load service cert: %v", err)
+ }
+
+ serviceKey, err := loadPEMFromFile("/service.key")
+ if err != nil {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to load service key: %v", err)
+ }
+
+ caCert, err := loadPEMFromFile("/ca.pem")
+ if err != nil {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to load ca cert: %v", err)
+ }
+
+ keypair, err := tls.X509KeyPair(serviceCert, serviceKey)
+ if err != nil {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to load key and cert: %v", err)
+ }
+
+ caCertPool := x509.NewCertPool()
+ if !caCertPool.AppendCertsFromPEM(caCert) {
+ return tls.Certificate{}, nil, fmt.Errorf("failed to append ca cert")
+ }
+
+ return keypair, caCertPool, nil
+ }
+
+ // createKafkaDialer initializes a Kafka dialer with the provided certificates and CA pool.
+ func createKafkaDialer(keypair tls.Certificate, caCertPool *x509.CertPool) *kafka.Dialer {
+ return &kafka.Dialer{
+ Timeout: 10 * time.Second,
+ DualStack: true,
+ TLS: &tls.Config{
+ Certificates: []tls.Certificate{keypair},
+ RootCAs: caCertPool,
+ },
+ }
+ }
+
+ // setupKafkaConsumer initializes and returns a Kafka consumer.
+ func setupKafkaConsumer(dialer *kafka.Dialer, serviceURI, topicName string) *kafka.Reader {
+ return kafka.NewReader(kafka.ReaderConfig{
+ Brokers: []string{serviceURI},
+ Topic: topicName,
+ Dialer: dialer,
+ })
+ }
+
+ // consumeMessages continuously reads messages from the Kafka topic.
+ func consumeMessages(consumer *kafka.Reader) {
+ for {
+ msg, err := consumer.ReadMessage(context.Background())
+ if err != nil {
+ log.Printf("could not read message: %v", err)
+ continue
+ }
+ log.Printf("received: %s", msg.Value)
+ }
+ }
+
+ func main() {
+ // Load environment variables
+ serviceURI := os.Getenv("SERVICE_URI")
+ if serviceURI == "" {
+ log.Fatalln("service uri is not set")
+ }
+
+ topicName := os.Getenv("TOPIC_NAME")
+ if topicName == "" {
+ log.Fatalln("topic name is not set")
+ }
+
+ // Load certificates and configure TLS
+ keypair, caCertPool, err := loadCertificates()
+ if err != nil {
+ log.Fatalf("failed to load certificates: %v", err)
+ }
+
+ // Create Kafka dialer
+ dialer := createKafkaDialer(keypair, caCertPool)
+
+ // Set up Kafka consumer
+ consumer := setupKafkaConsumer(dialer, serviceURI, topicName)
+ defer func() {
+ if err := consumer.Close(); err != nil {
+ log.Printf("failed to close consumer: %v", err)
+ }
+ }()
+
+ // Consume messages
+ consumeMessages(consumer)
+ }
+You can monitor the health and performance of your Kafka services via the service metrics and service logs.
+Service metrics provide real-time insights into the performance of your Kafka service.
+To view service metrics for a Kafka service, go to the Metrics tab on the service details page.
+The service metrics include the following:
+Service logs provide a detailed record of Kafka service activity, such as producer and consumer operations, connection statuses, and error reports. These logs are essential for troubleshooting issues and analyzing message flow. Logs are retained for up to 4 days.
+To view Choreo-managed Kafka service logs, go to the Logs tab on the service details page.
+ + + + + + +This section explains how you can configure alerts for your API manager deployments. Setting up alerts allows you to proactively monitor your API ecosystem and take corrective measures when necessary.
+You can configure alerts for each environment within your organization. You can add, modify, or delete alerts per API. Optionally, you can specify a list of emails for each alert configuration.
+Alerts are subject to a suppression policy to prevent duplicate notifications within a specific time frame. By default, a 10-minute suppression window is applied, and this is not configurable. The suppression policy is specific to each alert configuration.
+Info
+Alerts can be categorized as either latency alerts or traffic alerts.
+Latency alerts notify you if the response latency of an API exceeds a predefined threshold. This is useful for APIs that need to meet specific SLAs and for proactively identifying slow APIs.
+To configure a new latency alert, follow the steps given below:
+Click Alert Configuration.
+
This opens the Alert Configuration pane with the Latency tab open by default.
+In the API Name field, select the API for which you want to configure the alert.
+Info
+Only the APIs that you have invoked at least once are listed here. For other APIs, you need to give the API name in the required format as instructed in the UI.
+In the Metric field, select the required metric against which you want to evaluate the alert configuration.
+Tip
+The list includes all available options. If there are multiple metrics, you can select the required metric. If there is only one metric to choose, that metric is selected by default, and the field is disabled.
+In the Latency field, specify the threshold in milliseconds.
+Info
+When the 95th percentile of the selected metric exceeds the threshold provided here, alerts are triggered.
+In the Emails field, specify the list of emails that should be notified when the alert is added.
+Click + Add.
+Once an alert is successfully added, the alert configuration is listed in the Alert Configuration pane. Each configuration can be edited and removed via this pane.
+Traffic alerts notify you when the request count of an API exceeds a predefined threshold. This is useful for managing APIs with backend traffic limits or monetized backends that require proactive scaling based on incoming traffic.
+To configure a new traffic alert, follow the steps below:
+In the API Name field, select the API for which you want to configure the alert.
+Info
+Only the APIs that you have invoked at least once are listed here. For other APIs, you need to give the API name in the required format as instructed in the UI.
+In the Metric field, select the required metric against which you want to evaluate the alert configuration.
+Tip
+The list includes all available options. If there are multiple metrics, you can select the required metric. If there is only one metric to choose, that metric is selected by default, and the field is disabled.
+In the Threshold field, specify the threshold number of requests per minute.
+If required, specify the list of emails that should be notified when the alert is generated in the Emails field.
+Click Add.
+Once an alert is successfully added, the alert configuration is listed in the Alert Configuration pane. Each configuration can be edited and removed via this pane.
+ + + + + + +
You can view DORA metrics in Choreo to use as KPIs to measure your organization's DevOps team's performance. Choreo enables this feature by default for all organizations. DORA includes the following four key metrics that are regarded as the most important metrics to indicate team performance:
+Choreo enables two DORA metrics by default; deployment frequency and lead time for change.
+To configure the CIO dashboard by enabling the other two metrics, follow the steps below:
+
To configure GitHub as the incident management system, follow the steps below:
+
First, let's authorize Choreo to access the repositories used to record incidents.
+On the Add Integration page, select GitHub and click Authorize with GitHub.
+Once the authorization process is complete, you can start configuring the GitHub repository.
+
By default, Choreo collects incident details(issues) from all repositories containing Choreo components. However, you can configure a GitHub account and a GitHub repository to allow Choreo to read issues from a specific repository, and then click Next.
+| Field | +Description | +Value | +
|---|---|---|
| Data Plane | +Choreo collects incident details by running a scheduled job which invokes the GitHub API periodically. This job runs on the user's data plane. This configuration allows users to specify a preferred data plane to run the job, especially when they have multiple data planes. | +Select a preferred data plane from the Data Plane list. | +
| GitHub Account | +The GitHub account you have your repositories in. | +Select your GitHub account that includes the repository used for incident collection. | +
| GitHub Repository | +By default, Choreo will collect incident details(issues) from all repositories that already have Choreo components. | ++ |
The filter label allows Choreo to scrape issues associated with that label.
+Incident Label: The label Choreo uses to identify incidents. For example, Type/Incident.
Invalid incident label(Optional): Choreo will not scrape issues with this label and will proceed to skip these issues. For example, Resolution/Invalid. You can use this label when you want to ignore issues. For example, closing an issue after identifying that it doesn't qualify as an incident issue as it was due to a user error.
Once you configure the labels, click Save.
+Choreo will enable incident data publishing in the background once you save. Once completed, DORA metric charts will appear in the CIO dashboard for Mean Time To Recover and Change Failure Rate. If there are any issues in the configuration, the configure banner will reappear, and the user can proceed to reconfigure.
+Choreo extracts deployment information from the relevant incident and generates DORA metrics that help you analyze the deployment statistics related to the incidents. Therefore, you must manually update the GitHub issue with the relevant deployment-related information. Follow the steps below to add the deployment information to the GitHub issue.
+On the right-hand side panel, select the relevant deployment, and click Release details to copy the deployment details to the clipboard.
+
Get deployment details) at the end of the issue body.That's it! You have successfully configured your CIO dashboard to include the DORA metrics.
+Note
+The CIO Dashboard is expected to reflect the latest statistics within approximately 30 minutes.
+
You can edit or override the configurations you made via the edit option in the dashboard.
+ + + + + + +DORA metrics comprise four key metrics. Let's explore what each metric represents in Choreo. Choreo displays a summary and graphical representation of each metric.
+
The snapshot view includes four tiles on the top of the dashboard, summarizing DORA metrics for the entire time period you select. The snapshot view categorizes each metric into four performance levels: elite, high, medium, and low. The categorization is based on the 2020 DORA metric report.
+
The time series view provides a graphical representation of how the statistics have changed over a period of time. You can use this view to analyze team performance and identify trends.
+
DORA team definition: The frequency at which an organization successfully releases to production.
+In Choreo, this translates to the number of times an organization deploys a component to the production environment. Choreo does not count the deployment done to the development or other lower environments.
+
The snapshot view of the Deployment Frequency metric shows the deployment frequency for all components within the selected organization. The frequency is dynamically determined and rounded to the nearest measurement. For example, if there is more than one deployment daily, the deployment frequency is measured in deployments per day. If the deployment frequency is less, it is measured in a higher granularity. For example, deployments per week.
A lower deployment frequency indicates that your organizational efficiency is low and that you need to evaluate and improve the processes to encourage frequent releases.
+Choreo also displays the total number of deployments for the selected time range and the percentage increase or decrease compared to the previous time range.
+
The time series view for the Deployment Frequency metric visualizes the deployment count as a bar chart for the selected time period. Deployment count is aggregated based on the ‘view by’ selector. Hovering over each bar shows the counts for the aggregated period.
+Using this chart, organizations can identify deployment patterns, such as days of the week/months of the year where more deployments are likely to happen (near quarterly release days) and periods with fewer deployments. Decision-makers can then take steps to investigate and improve performance.
+This chart displays the pattern before and after a process change so you can use it to evaluate the team's performance after a significant process change.
DORA team definition: The time it takes for a commit to reach production.
+In Choreo, this translates into the time between committing and promoting a deployment to production. Although this approach may overlook any commits you push to production between two commits, it effectively assesses the efficiency of the review, approval, and CI/CD processes. Therefore, focusing on the production commits is adequate. If a team commits locally for extended periods without deploying to production, this gets reflected in the Deployment Frequency charts.
The snapshot view of this metric displays the 95th percentile of the lead time for the selected time period. 95th percentile serves as a better representation as it filters out large outliers that can taint the average value. Lower lead times for change suggest that your organization has efficient processes for change review, approval, and CI/CD, while longer times suggest that the process needs to improve. Organizations can also use the categorization label to determine their standpoint on global standards.
+Additionally, Choreo also displays the percentage increase or decrease compared to the last time period.
+
The time series view of this metric visualizes the lead time as a bar chart for the selected time period. The time is summed based on the ‘view by’ selector. To handle outliers, the y-axis employs a log scale that represents values read dynamically. Hovering over each bar displays the actual counts for the aggregated period. +Using this chart, organizations can identify trends in their release process. For example, organizations can identify the time of the year when lead time rises, such as summer break. Also, organizations can use this to benchmark and evaluate new process changes. For example, if you introduced a process to include peer programming and reviewing, this chart can be used to evaluate its effect on the lead time and provide leadership with factual information to proceed further.
+The DORA team definition: The percentage of deployments causing a failure in production.
+In Choreo, this translates to the ratio of deployments causing production failures to the total number of deployments. If there is at least one incident reported against a deployment, Choreo considers that deployment as a failed deployment in production. Any deployment-time failures are not counted as production failures because such failures don't impact the end user. For this metric to be accurate, the organization is expected to open incidents adhering to the proper format as it is crucial for Choreo to identify production failures.
+
The snapshot view of this metric visualizes the change failure rate as a percentage for the selected time period. This will be the absolute percentage for the entire time period. When deciding on the time, the time of deployment is considered instead of the incident reported time. For example, the change failure rate for January 2023 will reflect the following: + - All deployments that happened within January. + - Any incidents that were reported at any time (in or after January) against the January deployments.
+This view helps leadership assess the quality of deliverables and identify areas for improvement. Higher rates suggest that the organization needs to improve its processes to bring in more quality assurance aspects such as improved code coverage and end-to-end test coverage.
+Additionally, Choreo also shows the percentage increase or decrease compared to the previous time period.
+
The time series view of this metric displays it as a line chart with data points corresponding to the granularity selected by the ‘view by’ selector. The absolute percentage is shown for each granularity. Hovering over the line chart displays the actual counts for the aggregated period. +This chart helps leadership identify timely trends in product quality aspects. For example, this view displays the months of the year where the failure rate is high (for example, close to quarterly release/announcement dates). Also, you can use this to measure the effectiveness of changes introduced to improve quality. For example, if the organization introduced an end-to-end test pipeline integration to the PR approval process, they can use this view to factually observe the timely impact of that change and determine how it decreases the failure rate.
+The DORA team definition: The time it takes for an organization to recover from a production failure.
+In Choreo, this measures the time from identifying a production incident to resolving it. This metric reflects the responsiveness and agility of incident management teams.
+Choreo depends on the open and close times of incidents to gather the relevant information. Therefore, for the dashboards to be accurate, organizations must follow process guidelines to update and close incident tickets efficiently in their incident management system.
+
The snapshot view for this metric displays the mean recovery time for the selected time period. Choreo dynamically adjusts the time unit to measure this metric for better readability. +This chart helps organizations evaluate the response time and agility of their incident handling teams, which in turn is an indication of stability. Higher MTTR means the leadership should look at new ways of improving the efficiency and agility of the teams handling incidents.
+
The time series view of this metric shows how the mean time to recovery changes over time on a granularity based on the ‘view by’ selector. Each time the granularity mean would be used as the aggregation factor. Hovering over the line chart displays the actual counts for the aggregated period.
+This view helps leadership understand timely trends on mean time to recovery, such as higher values during holiday periods when there is less staff. Also, you can use this measurement to evaluate the effectiveness of process changes such as introducing an incident response plan. The trend view clearly shows the before and after statistics and the effectiveness of the process change.
Choreo insights allow you to generate custom reports to view the information that is important to you to make timely decisions for the betterment of your business. With custom reports, you can generate reports for a set of metrics of your choice and aggregate results by specific fields. Once generated, the metrics can be filtered out using any selected group-by filters. Custom reports support three visualizations: overtime charts, pie charts, and tables.
+Choreo Insights allow you to retrieve data for the following metrics:
+Group-by fields specify how to group the metric data. e.g., You can select Successful Hit Count in the Metrics field and API Name under Group-by to retrieve the successful hit count grouped by the API name.
+Choreo Insights allow you to group metric data by the following fields:
+To generate a custom report, follow the steps below:
+In the left navigation menu, click Custom Reports.
+
Select metric(s) from the Metrics drop-down selector.
+
Select a minimum of 1 and a maximum of 3 group-by field(s) from the Group By drop down selector.
+Set the order of the group-by filters by drag and drop to determine the grouping order of the selected metric(s).
+Once you determine the order of the group-by fields, you can set values for each group-by field from the respective dropdown.
+
Click Generate.
+
Choreo Insights allow you to download report data related to each chart as a PDF or a CSV file.
+To do this, click the Download icon on the top right of the relevant chart and select the required file format.
+ 
Choreo provides comprehensive insights into APIs created within both the on-premises API Manager and the Choreo platform. Choreo insights provide a range of metrics, including API traffic, error rates, and latency, allowing you to monitor and optimize API performance effectively.
+With Choreo insights, you can:
+By leveraging these insights, businesses can make informed decisions to enhance their API strategies and drive their digital transformation initiatives forward.
+To view usage insights, go to the Choreo Console and click Usage Insights in the left navigation menu.
+If you are viewing insights on the Choreo platform at the organization level, note the following:
+View Organization Insights permission under OBSERVABILITY-MANAGEMENT with the mapping level defined at the Organization level.View Organization Insights permission by default and can view organization-wide insights.By ensuring proper permissions are set, organizations can manage access to insights effectively while maintaining data security and relevance.
+Once you access the Usage Insights page, you can access the following subpages.
+The Overview page gives you a quick overview of the system status.
+
The information displayed is as follows:
+Total Traffic
+
This widget displays the total traffic of the selected environment received during a given time interval. Both successful requests and failed requests are displayed. To investigate further, you can click the arrow icon on the bottom right corner of the widget to open the Traffic page.
+Error Request Count
+
This widget displays the total number of requests that have resulted in errors in your selected environment during the selected time range.
+Average Error Rate
+
This widget displays the average error rate (i.e., error count/total request count) of the selected environment for a given time interval. You can use this widget as an indicator to understand the health of the system. If the error rate is high, you can investigate further by clicking the arrow on the bottom right of the widget and opening the Errors page.
+95th Percentile Latency
+
This widget displays the 95th percentile of all API latencies in your selected environment for the given time interval. You can use this widget to know whether the complete system operates under given SLAs. This metric provides the first indication of slow APIs. To investigate further, you can click the arrow on the bottom right of the widget to open the Latency page where you can further analyze the latency.
+API Request Summary
+
This chart displays the total successful requests, the total requests that have resulted in errors, and the latency in a timeline. The y-axis on the left displays the request count and the error count. The x-axis shows time, and the y-axis on the right shows the latency in milliseconds. The granularity of the data points is decided based on the time range you have selected. The tooltip provides the exact value of all three metrics accurately.
+The Traffic page shows information related to the traffic that goes through your API management deployments. This includes API usage, application usage, resource usage, etc. You can use this page to investigate the usage of APIs and applications, traffic patterns, etc.
+
You can filter the information displayed in the widgets as follows:
+| Filtering Option | +Description | +
|---|---|
| By API | +In the API field, you can select one or more APIs for which you want to view analytics. All is selected by default. Once you select an API, you can further filter by a specific application that uses the selected API via the Application field described below. | +
| By Application | +In the Application field, you can select the applications for which you want to view analytics. All is selected by default. The available applications are all the applications that have subscribed to one or more of the APIs you selected in the API field. | +
You can view the following information for the APIs you have selected using the above filtering criteria:
+API Usage Over Time
+This timeline shows the count of API hits for the APIs for the filtered APIs. If multiple APIs are selected, the timeline shows each API in a separate line with a legend separating each line. You can also zoom in on a selected time range by selecting that area in the chart. To restore to the original view use the Zoom out button on the top right-hand corner of the plot.
+
API Usage By Application
+This widget shows the per-application breakdown of requests for the APIs you selected. You can use the pie chart view or the line chart view. You can switch between the two views using the small icon at the upper-right corner of the widget.
+
API Usage By Target
+This widget shows the per-backend breakdown of requests for the APIs you selected. This information is useful when multiple APIs share the same backend that has traffic restrictions. You can use these stats to scale your backends proactively. You can switch between the two views using the small icon at the upper-right corner of the widget.
+
API Resource Usage
+This table shows a resource-level breakdown of API traffic. Each row represents an API resource and it shows the API name, resource path, API method, and the hit count for that combination.
+
The Errors page shows information related to erroneous API calls that are received by your system. The errors are categorized based on the error type. You can further drill down using the error subtypes. Use this page as the starting point for debugging any API errors.
+
You can filter the information displayed in the widgets as follows:
+| Filtering Option | +Description | +
|---|---|
| By API | +In the API field, select the APIs for which you want to view analytics. By default, all APIs are selected. You can select one or multiple APIs from this selector and view the aggregated result. | +
| By Category | +The Category field is displayed when you click Category in the upper right corner of the page. In this field, you can select one or all of the following error categories: Authentication: Any kind of authentication error falls into this category including expired/missing/invalid credentials. Target Connectivity: Any kind of back-end error falls into this category including connection time-outs/other back-end errors (for example, 4xx and 5xx status codes). Throttling: Any request that fails due to rate-limiting falls into this category including application throttling/subscription throttling. Other: All other errors fall into this category including mediation errors/resource not found errors. |
+
| By Status Code | +The Status Code field is displayed when you click Status Code in the upper right corner of the page. In this field, you can select all or any available HTTP status code categories (4xx, 5xx, etc.). These status codes represent the response status of the API Gateway. | +
The following widgets are available for monitoring errors when you have selected Category in the upper-right corner of the page.
+This graph shows the error by category over time for the selected period. Apply the required filters as explained above to select the APIs and the error categories to which this content applies. When you select multiple APIs, the error count is grouped by category.
+
This table provides further information about the errors such as application details and the error reason. For some authentication errors, the application name is not available. You can use this table to get more concrete information about the errors related to your APIs and then start the problem identification.
+
The following widgets are available for monitoring errors when you select Status Code in the upper-right corner of the page.
+Errors by Status Code
+This graph shows the distribution of HTTP status codes received for errors over time for the selected period. Apply the required filters as explained above to select the APIs and status code groups to which this content applies. When you select multiple APIs, the error count is grouped by the status code.
+
Target Errors by Status Code
+This graph shows the distribution of target errors that have occurred during the selected time interval by HTTP status code. Apply the required filters as explained in the table above to view the APIs and status code groups to which this content applies. If you select multiple APIs, the widget groups the target error count by the status code.
+
Errors
+The Errors heat map shows the HTTP response codes of errors sent to the client by the API Gateway. Each row displays the number of times the system returned each status code for the selected APIs. The cell color is red for higher numbers and white for lower numbers. If required, you can further filter the results by the error code groups you identified with the Errors by Status Code graph.
+
Target Errors
+The Target errors heat map shows the HTTP response codes of errors that the API Gateway received from the backend. Each row displays the number of times the system returned each status code for the selected APIs. The cell color is red for higher numbers and white for lower numbers. If required, you can further filter the results by the error code groups you identified with the Target Errors by Status Code graph.
+
The Latency page shows information related to the latency of API calls within the API management deployment. You can view a summary of the slowest APIs and then drill down into the API view for further analysis. Use this page as a starting point to debug API slowness.
+
The information displayed is as follows:
+Top 10 Slowest APIs
+This widget allows you to identify the slowest APIs of the API management system at a glance. Since these are the APIs that contribute to the higher 95th percentile of the system, improving these APIs lowers the 95th percentile of latency in the API Management deployments.
+
Latencies By Category
+This widget allows you to further drill down details in the above chart. Use the API selector in this widget to select the slow API you identified in the earlier step and then analyze further. Use the charts available in the widget to view the 95th percentile and the median latency over the selected period of the following:
+
You can use these charts to further drill down and analyze whether the latency occurs in the backend, request mediation, or response mediation. Also, because you can see both the median and 95th percentile, you can easily identify whether the slowness is occurring in each request or whether it is intermittent.
+The Cache page shows statistics that indicate the efficiency with which response caching is carried out for the requests sent to your APIs.
+
The page displays the following statistics:
+Cache Hit Percentage
+This graph shows the percentage of requests the system has handled via the response cache over time and the total hits over time. This information allows you to assess how efficiently the backend handles API requests. For example, if the cache hit rate is low, it may indicate that the backend generates the same response each time a specific request is sent instead of returning the response via the cache. In such a scenario, there is scope to improve performance via response caching.
+
Latency
+This section shows the total latency reported during the same time interval applied to the Cache Hit Percentage graph above.
+
The Devices page displays information about operating systems and HTTP agents that end users use to invoke the APIs. You can use this page to get an idea of the distribution of your user base and improve your APIs to match the audience.
+
To filter the information displayed on this page by API, select the required API(s) in the API field. All is selected by default.
+The information displayed is as follows:
+Top Platforms
+This chart shows the breakdown of the API clients by the operating system. The pie chart only shows platforms with a significant amount of requests. Other platforms are grouped under the Other category.
+
Top User Agents
+This chart shows the breakdown of the API clients by user-agent. The pie chart only shows user agents with a significant amount of requests. Other platforms are grouped under the Other category.
+
The Alerts page shows information related to business alerts issued by Choreo for your currently selected environment and organization. You can use this page as a health monitoring dashboard and make it visible to your project team. Using this page you can drill down on each alert and discover possible anomalies in your published APIs. See the topics given below to get details of the available widgets and understand how to use them effectively.
+
Prerequisites
+To use this page, be sure to configure alerts and have API invocations that trigger alerts.
+Note
+Alerts are retained only for a week.
+Alert Summary
+This table lists each alert generated during the selected time interval. The message of the alert can be viewed by expanding the arrow icon on the details column. The drop-downs can be used to filter alerts based on the alert type and API.
+
Top APIs by Alert Count
+This shows a pie chart and a table to visualize the alert distribution during the selected time interval.
+
The Reports page allows you to download monthly usage reports for your system. There are preconfigured reports with system-wide statistics, and a custom report generator to generate reports based on a subset of APIs/applications.
+
This widget allows you to generate a custom report for the statistics that have been generated up to now and download it.
+
To generate a custom report, follow the steps below:
+In the API field, select one or more APIs for which you want to generate the report. If required, you can select all the APIs by selecting All.
+If you need to further filter the content printed in the report, select one or more applications in the Application field. By default, all the applications that have subscribed to one or more of the selected APIs are selected.
+Tip
+If you want to filter the report content by the API consumer instead of the application, click on the toggle switch to the right of the Application field, and then select the required consumer. Only consumers who have subscribed to one or more of the selected APIs are displayed in the list. You can either select one or all of them.
+Select the required year and the month in the Year and Month fields to specify the time interval for which you want to generate the report.
+Click Download, and select the required format.
+The report is downloaded in the specified format. The following is a sample report generated in PDF format.
+
The contents of the report are as follows.
+| Item | +Description | +
|---|---|
| Generated Time | +The date and the time the report was generated. | +
| Organization | +The organization to which the report applies. Each report always applies to a specific organization. | +
| Environment | +The environment to which the report applies. Each report always applies to a specific environment. | +
| Tenant | +The tenant to which the report applies. Each report always applies to a specific tenant. | +
| Reporting period | +The time interval for which the report is generated. | +
| Total request count | +The total request count received by all selected APIs during the report time interval. | +
The table in the report contains the following rows.
+| Item | +Description | +
|---|---|
| API | +The name of the API. | +
| Application | +The name of the application. The name of the subscriber is also provided within brackets. | +
| Usage | +The usage count. | +
These widgets allow you to download monthly reports for the last three months.
+
To download a pregenerated report, click Download for the relevant month and then click on the required format.
+The Geo Map page allows you to see a geographical representation of your API usage. You can use this page to make business decisions such as identifying growing regions, analyzing the impact of a region-specific marketing campaign, etc.
+
To filter the information displayed on this page by API, select the required API(s) in the API field. The default value is All.
+This heat map highlights the countries with the appropriate color based on the hit count. It uses a relative color scale to depict the highest hit count to the lowest non-zero hit count.
+
You can hold the pointer over the highlighted countries to view the country name and the total number of hits from that location. You can also use the mouse to zoom the map or pan it. Optionally, you can download geo-map data in a tabular format using the PDF or CSV download options by clicking 
on the top right corner.
Note
+x-forwarded-for header to each request to preserve the source IP address. If you do not configure this correctly, the Geo Map page will not show any data. To test this, you can manually add an x-forwarded-for header to the request.Moesif is an API analytics and monetization service that helps you grow your API products. You can integrate Choreo with Moesif and gain valuable insights into your API's usage. While Moesif's API analytics capabilities empower you to make informed decision-making on behalf of your organization, its monetization options simplify revenue generation from your APIs, eliminating the need for complex coding.
+In this guide, you will:
+Let's generate an API key in Moesif. +If you're an existing Moesif user with a registered organization, proceed to step 1.2.
+If you are a new user, follow the steps below to register an organization and generate a key:
+On the Get Started page, enter meaningful values for the fields and create a new organization.
+| Field | +Description | +
|---|---|
| Organization Name | +The name of your company or team. | +
| Application Name | +The name of your application that represents one project or environment. | +
Click Next.
+On the Overview page, click Next.
+This opens the Quick Install page. As there is no data, you cannot proceed. Let's configure Moesif to receive data from Choreo.
+Select a WSO2 Choreo as the Server Integration
+Copy the Application Id.
+
If you are an existing user with a registered organization, or you do not have an API key for the organization you created, follow the steps below to access the generated API key:
+Let's configure Choreo to publish events to Moesif.
+Once you successfully add the key, you will see a delete option next to it. Currently, you can only configure one API key. If you need to add a new API key, you need to delete the existing key and add the new one.
+Note
+Once you configure the Moesif API key on Choreo, wait for five minutes before you publish any data to the Moesif API analytics platform.
+You have configured Choreo to publish data to Moesif. Let's see how you can view the insights on Moesif.
+Tip
+Invoke your API by following the Test REST Endpoints via the OpenAPI Console guide.
+Once you publish data, your Moesif dashboard will receive events. Once Moesif receives events, you will see a notification on Moesif confirming that it received data.
+
Click Next on the notification. This will take you to the final step, where you can opt to add team members. In this guide, let's skip this step.
+You can now view your API's insights in the Moesif dashboard.
+ + + + + + +Choreo offers the capability to access runtime logs through its console. However, in cases where viewing logs for your PDP is not supported by Choreo yet, you can still view the runtime logs of your components via the log analyzing solution provided by your cloud vendor as a workaround.
+Before you try out this guide, complete the following:
+Release ID and the Namespace. Save it for later.You can view your PDP logs with Azure Log Analytics by following the steps below:
+<START_TIME_STAMP EX: 2023-04-10T07:07:31.684Z> and <END_TIME_STAMP EX: 2023-04-21T07:27:31.684Z> values as required. Replace the '<OPTIONAL SEARCH PHRASE> with your search term, or leave it blank if you don't require any search filtering.let startDateTime = datetime('<START_TIME_STAMP EX: 2023-04-10T07:07:31.684Z>');
+let endDateTime = datetime('<END_TIME_STAMP EX: 2023-04-21T07:27:31.684Z>');
+let releaseId = '<RELEASE_ID>';
+let namespace = '<NAMESPACE>';
+let searchPhrase = '<OPTIONAL SEARCH PHRASE>';
+let startDateTimeKPI = iff(datetime_diff('second', endDateTime, startDateTime) > 60, startDateTime, endDateTime - 2m);let endDateTimeKPI = iff(datetime_diff('second', endDateTime, startDateTime) > 60, endDateTime, startDateTime + 2m);let filteredLogLevels = dynamic([]);
+let hasNoLevelFilter = array_length(filteredLogLevels) == 0;
+let commonKeys = dynamic(['time', 'level', 'module', 'traceId', 'spanId', 'message']);
+let ContainerIdList = KubePodInventory
+| where TimeGenerated > startDateTimeKPI and TimeGenerated < endDateTimeKPI
+| where Namespace == namespace
+| where extractjson('$.[0].release_id', PodLabel) == releaseId
+| distinct ContainerID;
+let data = ContainerLog
+| where TimeGenerated > startDateTime and TimeGenerated < endDateTime
+| where ContainerID in (ContainerIdList)
+| where searchPhrase == "" or LogEntry contains searchPhrase
+| top 126 by TimeGenerated desc
+| extend logs = parse_json(LogEntry)
+| project TimeGenerated,
+LogLevel = iif(isempty(logs['level']), iff(LogEntrySource == 'stderr', 'ERROR', 'INFO'), logs['level']),
+LogEntry = iif(isempty(logs['message']), logs, logs['message']),
+KeyValuePair = bag_remove_keys(logs, commonKeys)
+| where hasNoLevelFilter or LogLevel in (filteredLogLevels);
+let lastTimeStamp = data
+| top 1 by TimeGenerated asc | project TimeGenerated;
+let trimmedData = data | where TimeGenerated > toscalar(lastTimeStamp)| sort by TimeGenerated desc;
+let selected = iff(toscalar(data | count) == 126, 'trimmedData', 'data');
+let choose = (selector:string){ union (trimmedData | where selector == 'trimmedData'), (data | where selector == 'data')};
+choose(selected);
+<RELEASE_ID> with the values you copied by following the steps in the prerequisites section. Replace the <OPTIONAL SEARCH PHRASE> with your search term, or leave it blank if you don't require any search filtering.The Choreo observability dashboard provides a comprehensive interface to visualize and monitor the performance of services deployed on Choreo.
+
The Observability dashboard allows you to:
+Tip
+If you are a Choreo private data plane customer and you want to observe your private data plane using New Relic, see Observing Choreo Private Data Planes With New Relic.
+The throughput graph depicts the throughput of requests per second for a selected timestamp.
+
By default, Choreo renders this graph for the data generated within the past 24 hours. You can change the default time window by selecting the time range and zone from the options bar. To expand the graph, click and drag the cursor over the period you want to drill down.
+You can view the Choreo service logs in the Logs pane below the throughput and latency graph. Clicking on a graph updates the Logs view to contain the corresponding log entries generated at that time. You can use these logs to identify the reasons for any latency and throughput anomalies you detect using the graph.
+The Diagnostics view allows you to simultaneously analyze errors, throughput, latencies, CPU usage, memory usage, and logs for a particular event. This facilitates detailed error detection and analysis.
+By default, the time range selected for the Throughput & Latency graphs is the same time range used for the Diagnostics view.
+Each horizontal section of the graph, termed a bin, represents a specific period and comprises:
+The Logs pane serves as a centralized view to observe logs of the components you deploy on Choreo. This facilitates rigorous troubleshooting and analysis.
+ + + + + + +The unified log view in Choreo allows you to view runtime and audit logs to gain application and user insights while ensuring data privacy.
+Choreo provides real-time insights through live logs and allows you to view historical logs for insights into the past. You also have the flexibility to define a required time range to view relevant log entries, where an intuitive scrolling capability facilitates easy viewing of appropriate logs within the selected time frame.
+The log view also provides advanced filtering capabilities that allow you to efficiently navigate through appropriate logs to expedite troubleshooting in distributed environments.
+Note
All personally identifiable information (PII) gets resolved at the frontend service level, with only relevant UUIDs stored in logs.
+ +Choreo runtime logs provide insights into both project and component-level logs, covering application and gateway logs. These logs streamline the debugging process by centralizing diverse log sources.
+In Choreo, any organization member can view runtime logs via the runtime logs page. Choreo allows you to apply filters based on parameters such as log level (error, warn, info, debug), log type (application, gateway), and environment (development, staging, production) to simplify the debugging process.
+To access runtime logs, follow the steps below:
+In the left navigation menu, click Observability and then click Runtime Logs. This displays runtime logs for the past 30 days by default.
+To view logs based on a specific time range and other requirements, you can apply the necessary filter criteria.
+
When you view component-level logs on the Runtime Logs page, you will see both application and gateway logs.
+Each application log entry displays the following details:
+timestamp: The time when the request is received by the component.level: Indicates the severity of the log message. Possible values are Debug, Info, Warn, and Error.componentVersion: The version of the invoked component.componentVersionId: The identifier of the invoked component’s version.envName: The environment of the inbound request. For example, Development, Production, etc.Each gateway log entry displays the following details:
+timestamp: The time when the request is received by the gateway component.logLine: Contains the following details about the request, including inbound and outbound information from the gateway perspective.Method: The HTTP method of the request.RequestPath: The path of the inbound request.ServicePath: The path of the outbound request.UserAgent: The user-agent header of the request.CorrelationID: The request identifier of the inbound request. This is useful to track a request.ServiceHost: The host IP of the backend.Duration: The time taken for the gateway to serve the request. gatewayCode: Indicates the state of the request from the gateway perspective. Possible values are as follows:
BACKEND_RESPONSE: Indicates successful processing of the request by the gateway with a response to the client from the backend application.CORS_RESPONSE: Denotes a CORS (Cross Origin Resource Sharing) request.AUTH_FAILURE: Indicates a request failure at the gateway due to authentication or authorization issues, such as an invalid token.NO_HEALTHY_BACKEND: Indicates a request failure at the gateway due to a non-existent backend.RATE_LIMITED: Indicates a request failure at the gateway due to surpassing the rate limit enforced within the component.RESOURCE_NOT_FOUND: Indicates a request failure at the gateway due to the absence of a matching API resource for the inbound request. This can be caused by a mismatch in the HTTP method, path, or host.BACKEND_TIMEOUT: Indicates a request timeout when calling the backend application from the gateway.GATEWAY_ERROR: Indicates a request failure due to an erroneous behavior in the gateway.Note
+Occasionally, a request may not fit into any of the above categories. In such instances, the gatewayCode is displayed as UNKNOWN.
statusCode: The HTTP status code returned to the client.
componentVersion: The version of the invoked component.envName: The environment of the inbound request. For example, Development, Production, etc.Audit logs, also called audit trails, enhance security, ensure compliance, provide operational insights, and help manage risks.
+In Choreo, an audit log records organization-level user-specific operations performed via the Choreo Console. It also captures the timestamp and the outcome of the action.
+As of now, Choreo captures the following user-specific operations as audit logs:
+In Choreo, organization administrators are allowed to view audit logs by default. If other members need to access organization-specific audit logs, the administrator can create a role with the relevant permission and assign it to members. For step-by-step instructions on how to create and assign a role with relevant permission, see Manage audit log access.
+To view audit logs, follow these steps:
+In the Choreo Console, go to the top navigation menu and click Organization.
+Tip
+As of now, you can only view organization-level audit logs.
+In the left navigation menu, click DevOps and then click Audit Logs. This displays audit logs for the past 30 days by default.
+To view audit logs based on a specific time range and other requirements, you can apply the necessary filter criteria.
+
Choreo retains audit logs for one year and archives them for an additional year. Therefore, the total retention period for audit logs is two years.
+Follow the steps given below to create a role with audit log access permission and assign it to organization members who need access to audit logs:
+Note
You must be the organization administrator to perform this action.
+ +Enter a name and description for the role.
+
Click Next.
+In the Create Role dialog, select LOG-MANAGEMENT under Permissions.
+
Click Create.
+Click on a member who needs to have access to audit logs, and then click + Add Role.
+Tip
+If you want to invite one or more members and assign them the audit log viewer role, follow the steps given below:
+Click to expand the Roles list and select the role you created in Step 1.
+The Usage Insights page in the Choreo Console displays data retrieved from the Insights API exposed over the Internet. However, in some scenarios, you may need to retrieve data from external systems and implement custom dashboards to display the data.
+Choreo provides a secure and user-friendly approach to accomplish this requirement. Follow the steps given below:
+Access the Developer Portal of the Choreo System organization via https://devportal.choreo.dev/choreosystem/applications and sign in using your preferred method.
To obtain access to the Choreo System organization, click Request Access.
To create an application and generate keys, follow the steps below:
+To create a new application in the Choreo System organization, click + Create Application.
Enter a name for the application and click Create. This creates the application and takes you to the Overview page.
+To subscribe to the Insights API via the newly created application, follow the steps below:
+Insights and click Add.To generate credentials for the application, follow the steps given below:
+To specify an appropriate token expiry time for the application, follow the steps given below:
+Specify an appropriate value in the Application access token expiry time field and click Update.
+
Execute the following cURL command to generate an access token:
+curl --location --request POST 'https://sts.choreo.dev/oauth2/token' \
+--header 'Authorization: Basic <BASE64_ENCODED_CONSUMER_KEY_AND_CONSUMER_SECRET_OF_YOUR_APP_HERE>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'grant_type=client_credentials' \
+--data-urlencode 'orgHandle=<YOUR_ORG_HANDLE_HERE>' \
+--data-urlencode 'scope=apim:api_manage'
+Info
+To obtain your organization handle, follow the steps given below:
+You can use the generated token to access the Insights API exposed via https://choreocontrolplane.choreo.dev/93tu/insights/1.0.0/query-api.
+The following is a sample cURL command to invoke the Insights API:
+curl --location --request POST 'https://choreocontrolplane.choreo.dev/93tu/insights/1.0.0/query-api' \
+--header 'Content-Type: application/json' \
+--header 'Authorization: Bearer <TOKEN_HERE>' \
+--data-raw '{"query":"query ($org: OrgFilter!) {listEnvironments(org: $org){id\n name}}","variables":{"org":{"orgId":"<ORG_UUID_HERE>"}}}'
+Tip
+
The Choreo Insights API is a GraphQL API that allows you to retrieve data from external systems based on specific criteria. This guide describes the operations and schema-defined types you can use to retrieve data via the Choreo Insights API.
+ +You can try out the Choreo Insights API with your data via GraphQL Explorer.
+Warning
+The GraphQL Explorer is currently not compatible with the Safari web browser due to a known issue.
+The query root of the Choreo Insights GraphQL API.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| listAllAPI | +[API] | +
+
+Fetches all the APIs with the given combination of tenant ID, environment ID, and organization ID. Optionally, you
+can configure the provider parameter to further filter the APIs by a specific provider.
+
+ |
+|
| provider | +String | ++ +The name of the API provider. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| listApplications | +[Application] | +
+
+Fetches all the applications with the given combination of tenant ID, environment ID, and organization ID. Optionally, you
+can configure the applicationFilter parameter to further filter the applications by a specific application filter.
+
+ |
+|
| applicationFilter | +ApplicationFilter | ++ +The application filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| listProviders | +[Provider] | ++ +Fetches all the API providers with the given combination of tenant ID, environment ID, and organization ID. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| listSubscribers | +[Subscriber] | +
+
+Fetches all the API subscribers with the given combination of tenant ID, environment ID, and organization ID. Optionally, you
+can configure the subscriberFilter parameter to further filter the subscribers.
+
+ |
+|
| subscriberFilter | +SubscriberFilter | ++ +The subscriber filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| listOrganizations | +[Organization] | ++ +Fetches all the organizations of a user. + + | +|
| listEnvironments | +[Environment] | ++ +Fetches all the environments of an organization. + + | +|
| org | +OrgFilter! | ++ +The organization filter. + + | +|
| projectId | +String | ++ +The project ID by which the results need to be filtered. It is optional to specify a value for this +parameter. Note that providing a project ID with an on-prem key is not allowed. + + | +|
| listTenants | +[String] | ++ +Fetches all the tenants with the given combination of environment ID and organization ID. + + | +|
| tenantDataFilter | +TenantDataFilter! | ++ +The tenant filter. + + | +|
| getTotalTraffic | +Int | ++ +Returns the total traffic during the given time range for the specified combination of tenant ID, environment ID, +and organization ID. + + | +|
| filter | +TimeFilter! | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getTotalErrors | +Int | ++ +Returns the total number of errors that occurred during the given time range for the specified combination of tenant +ID, environment ID, and organization ID. + + | +|
| filter | +TimeFilter! | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getOverallLatency | +Float | ++ +Returns the overall response latency (95th percentile value) during the given time range for the specified +combination of tenant ID, environment ID, and organization ID. + + | +|
| filter | +TimeFilter! | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getLatencySummary | +LatencySummary | +
+
+Returns the response latency value (95th percentile value) for each time granularity within the specified time range
+for the given combination of tenant ID, environment ID, and organization ID. Optionally, you can configure the
+latencySummaryFilter parameter to further filter the results.
+
+ |
+|
| filter | +TimeFilter! | ++ +The time filter. + + | +|
| latencySummaryFilter | +LatencySummaryFilter | ++ +The latency summary filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getSuccessSummary | +SuccessSummary | +
+
+Returns the number of successful (2xx response code) hit count for each time granularity within the specified time
+range for the given combination of tenant ID, environment ID, and organization ID. Optionally, you can configure the
+granularity parameter to override the default granularity value.
+
+ |
+|
| filter | +TimeFilter! | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| granularity | +String | ++ +The granularity value. + + | +|
| getErrorSummary | +ErrorSummary | +
+
+Returns the number of unsuccessful hits (i.e., the total of both 4xx and 5xx response codes) for each time
+granularity within the specified time range for the given combination of tenant ID, environment ID, and organization
+ID. Optionally, you can configure the granularity parameter to override the default granularity value.
+
+ |
+|
| filter | +TimeFilter! | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| granularity | +String | ++ +The granularity value. + + | +|
| getErrorsByCategory | +ErrorsByCategory | +
+
+Returns the number of proxy errors (i.e., the total of both 4xx and 5xx response codes) by each error category
+for each time granularity within the specified time range for the given combination of tenant ID, environment ID,
+and organization ID. Optionally, you can configure the errorsByCategoryFilter parameter to further filter the
+results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| errorsByCategoryFilter | +ErrorsByCategoryFilter | ++ +The errors by category filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getErrorsDetails | +DetailsOfErrors | +
+
+Returns details of each proxy error (for both 4xx and 5xx response codes) within the specified time range for
+the given combination of tenant ID, environment ID, and organization ID. Optionally, you can configure the
+errorsDetailsFilter parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| errorsDetailsFilter | +ErrorsDetailsFilter | ++ +The error details filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getProxyTargetErrorsOverTime | +[ErrorsByStatusCodeCategory] | +
+
+Returns a list of hit counts for proxy and target errors for each time granularity within the specified time range
+for the given combination of tenant ID, environment ID, and organization ID. The errors in each proxy and target
+result set are grouped as 4xx, 5xx, and total. Optionally, you can configure the errorsByStatusCodeFilter
+parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| errorsByStatusCodeFilter | +ErrorsByStatusCodeFilter | ++ +The errors by status code filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getErrorsByStatusCode | +ErrorsByStatusCode | +
+
+Returns the hit count for each error response code (401, 404, and 500 etc.,) for each API within the specified
+time range for the given combination of tenant ID, environment ID, and organization ID.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| errorCountByStatusCodeFilter | +ErrorCountByStatusCodeFilter! | ++ +The error count by status code filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getTotalErrorsByAPI | +TotalError | +
+
+Returns the total proxy error hit count for an API across for the given combination of tenant ID, environment ID,
+and organization ID. Optionally, you can configure the filter parameter to further filter the results by a given
+time range.
+
+ |
+|
| filter | +TimeFilter | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| apiId | +ID! | ++ +The API ID. + + | +|
| getAPIUsageOverTime | +[APIUsageOverTime] | +
+
+Returns a list of details related to the usage of each API over time for each time granularity within the specified
+time range for the given combination of tenant ID, environment ID, and organization ID. Optionally, you can
+configure the apiUsageOvertimeFilter parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| apiUsageOvertimeFilter | +APIUsageOverTimeFilter | ++ +The API usage overtime filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getAPIUsageByAppOverTime | +APIUsageByAppOverTime | +
+
+Returns API usage by each application over time for each time granularity within the specified time range for the
+given combination of tenant ID, environment ID, and organization ID. Optionally, you can configure the
+apiUsageOvertimeFilter parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| apiUsageOvertimeFilter | +APIUsageOverTimeFilter | ++ +The API usage overtime filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getAPIUsageByBackendOverTime | +APIUsageByBackendOverTime | +
+
+Returns API usage by each backend over time for each time granularity within the specified time range for the given
+combination of tenant ID, environment ID, and organization ID. Optionally, you can configure the
+apiUsageByBackendOverTimeFilter parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| apiUsageByBackendOverTimeFilter | +APIUsageByBackendOverTimeFilter | ++ +The API usage by backend overtime filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getResourceUsage | +ResourceUsages | +
+
+Returns API usage by resource within the specified time range for the given combination of tenant ID, environment
+ID, and organization ID. Optionally, you can configure the resourceUsageFilter parameter to further filter the
+results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| resourceUsageFilter | +ResourceUsageFilter | ++ +The resource usage filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getTotalTrafficByAPI | +Int | +
+
+Returns the total hit count for an API for the given combination of tenant ID, environment ID, and organization ID.
+Optionally, you can configure the filter parameter to further filter the results by a given time range.
+
+ |
+|
| filter | +TimeFilter | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| apiId | +ID! | ++ +The API ID. + + | +|
| topSlowestAPIs | +[SlowAPI] | ++ +Returns a list of top slowest APIs based on the response latency (95th percentile value) within the specified time +range for the given combination of tenant ID, environment ID, and organization ID. + + | +|
| filter | +TimeFilter! | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| limit | +Int! | ++ +The limit for the slow APIs list. + + | +|
| getLatency | +APILatency | ++ +Returns different latency category values (95th percentile values) for a given API over time for each time +granularity within the specified time range for the given combination of tenant ID, environment ID, and organization +ID. + + | +|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| latencyFilter | +LatencyFilter! | ++ +The latency filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getOverallLatencyByAPI | +OverallLatency | +
+
+Returns the overall response latency (95th percentile value) for an API for the given combination of tenant ID,
+environment ID, and organization ID. Optionally, you can configure the filter parameter to further filter the
+results by a given time range.
+
+ |
+|
| filter | +TimeFilter | ++ +The time filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| apiId | +ID! | ++ +The API ID. + + | +|
| getCacheHitsAndMisses | +CacheHits | ++ +Return the total number of response cache hits, misses, and hit percentage for an API over time for each time +granularity within the specified time range for the given combination of tenant ID, environment ID, and +organization ID. + + | +|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| cacheFilter | +CacheFilter | ++ +The cache filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getTopPlatforms | +[Platform] | +
+
+Returns a list of top platforms ranked based on the hit count within the specified time range for the given
+combination of tenant ID, environment ID, and organization ID. The result list includes the top nine platforms with
+the respective hit count, and all the rest of the platforms are labeled as **Other** with the cumulated hit count.
+Optionally, you can configure the deviceFilter parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| deviceFilter | +DeviceFilter | ++ +The device filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getTopUserAgents | +[UserAgent] | +
+
+Returns a list of top user agents ranked based on the hit count within the specified time range for the given
+combination of tenant ID, environment ID, and organization ID. The result list includes the top nine user agents
+with the respective hit count, and all the rest of the platforms are labeled as **Other** with the cumulated hit
+count. Optionally, you can configure the deviceFilter parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| deviceFilter | +DeviceFilter | ++ +The device filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getAPIUsageByGeoLocation | +[UsageByGeoLocation] | +
+
+NOTE: Currently, this operation returns data only for on-premise environments.
+
+Returns API usage by country within the specified time range for the given combination of tenant ID, environment ID,
+and organization ID. Optionally, you can configure the geoLocationFilter parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| geoLocationFilter | +GeoLocationFilter | ++ +The geolocation filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getAPIsUsageByApplications | +[APIUsageByApplication] | +
+
+Returns details relating to the usage of each API by application within the specified time range for the given
+combination of tenant ID, environment ID, and organization ID. Optionally, you can configure the
+apiUsageByAppFilter parameter to further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| apiUsageByAppFilter | +APIUsageByAppFilter | ++ +The API usage by app filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getTopAPIsByAlertCount | +TopAPIsByAlertCount | +
+
+Returns top APIs ranked based on the alert count within the specified time range for the given combination of tenant
+ID, environment ID, and organization ID. Optionally, you can configure the topAPIsByAlertCountFilter parameter to
+further filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| topAPIsByAlertCountFilter | +TopAPIsByAlertCountFilter | ++ +The top APIs by alert count filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getAlertSummary | +AlertSummaries | +
+
+Returns a summary for each alert within the specified time range for the given combination of tenant ID,
+environment ID, and organization ID. Optionally, you can configure the alertSummaryFilter parameter to further
+filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| alertSummaryFilter | +AlertSummaryFilter | ++ +The alert summary filter. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| getSuccessAPIsUsageByApplications | +[SuccessAPIUsageByApplication] | +
+
+NOTE: This operation can only be invoked via using an on-prem key as the authentication header.
+
+Returns a list of successful hit counts (i.e., 2xx response codes) within the specified time range for each API,
+grouped by each application. Optionally, you can configure the successAPIUsageByAppFilter parameter to further
+filter the results.
+
+ |
+|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| successAPIUsageByAppFilter | +SuccessAPIUsageByAppFilter | ++ +The successful API usage by application filter. + + | +|
| getSuccessAPIsUsageByApplicationsWithOnPremKey | +[SuccessAPIUsageByApplication] | +
+
+Returns a list of successful hit counts (i.e., 2xx response codes) within the specified time range for each API,
+grouped by each application. Optionally, you can configure the successAPIUsageByAppFilter parameter to further
+filter the results.
+
+ |
+|
| onPremKey | +String! | ++ +The value of the On-Prem key. + + | +|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| successAPIUsageByAppFilter | +SuccessAPIUsageByAppFilter | ++ +The successful API usage by application filter. + + | +|
| getCustomReportOvertime | +CustomReportOvertime | ++ +Returns the summary of hits or latency data as specified for the selected time duration, grouped by time spans. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| metric | +Metric! | ++ +The metric for which data needs to be retrieved. + + | +|
| groupByFields | +[GroupByField]! | ++ +The column/field by which data needs to be retrieved. + + | +|
| groupByValues | +[String]! | +
+
+The value used to filter by the groupByField.
+
+ |
+|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
| getCustomReportTopOvertime | +CustomReportTopOvertime | ++ +Returns the summary of hits or latency data as specified for the selected time duration, grouped by time spans for +the top N values for the selected groupByField. + + | +|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| timeFilter | +TimeFilter! | ++ +The time filter. + + | +|
| metric | +Metric! | ++ +The metric for which data needs to be retrieved. + + | +|
| groupByFields | +[GroupByField]! | ++ +The column/field by which the data should be grouped. + + | +|
| groupByValues | +[String]! | +
+
+The value used to filter by the groupByField.
+
+ |
+|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
| getGroupByValues | +[[String]] | +
+
+Returns a list of value sets by which you can group the data available for the selected groupBy fields.
+
+ |
+|
| dataFilter | +DataFilter! | ++ +The data filter. + + | +|
| groupByFields | +[GroupByField]! | ++ +The column/field for which the API needs to retrieve distinct values. + + | +|
| groupByValues | +[String]! | +
+
+The value used to filter by the groupByField.
+
+ |
+|
Represents API details.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| id | +ID! | ++ +The ID of the API. + + | +|
| name | +String! | ++ +The API name. + + | +|
| version | +String! | ++ +The API version. + + | +|
| provider | +String! | ++ +The API provider name. + + | +|
Represents latency values for a single API over time.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| summary | +[Latency] | ++ +A list containing latency category values over time. Returns an empty array if no data is available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents the API usage for a single timestamp. The timestamp is calculated based on the granularity value provided.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| count | +Int! | ++ +The API usage count. + + | +|
Represents API usage across APIs by a single application.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| applicationId | +ID! | ++ +The application ID. + + | +|
| applicationName | +String! | ++ +The application name. + + | +|
| applicationOwner | +String! | ++ +The name of the application owner. + + | +|
| usage | +[APIUsage] | ++ +A list containing the APIs usage values. Returns an empty array if no data is available. + + | +|
Represents API usage across APIs by applications over time.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| usage | +[APIUsageByApp] | ++ +A list containing the API usage values across APIs, grouped by the application. Returns an empty array if no data is +available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents a single API usage by a single application.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +String! | ++ +The ID of the API. + + | +|
| applicationId | +String! | ++ +The Application ID. + + | +|
| applicationName | +String! | ++ +The application name. + + | +|
| applicationOwner | +String! | ++ +The name of the application owner. + + | +|
| count | +Int! | ++ +The usage of the API by the application. + + | +|
Represents API usage across APIs by a single backend.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| backend | +String! | ++ +The name of the backend. + + | +|
| usage | +[APIUsage] | ++ +A list containing the APIs usage values. Returns an empty array if no data is available. + + | +|
Represents API usage across APIs by each backend over time.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| usage | +[APIUsageByBackend] | ++ +A list containing the API usage values across APIs by each backend. Returns an empty array if no data is available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents a single API usage over time.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +ID | ++ +The ID of the API. + + | +|
| usage | +[APIUsage] | ++ +A list containing the API usage values. Returns an empty array if no data is available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents alert summaries.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| usage | +[AlertSummary] | ++ +A list containing the alert summary for each alert. Returns an empty array if no data is available. + + | +|
| pagination | +Pagination! | ++ +The pagination details. + + | +|
Represents a summary for an alert.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +ID! | ++ +The ID of the API. + + | +|
| timestamp | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| category | +String! | +
+
+The alert category. Possible values are LATENCY and TRAFFIC.
+
+ |
+|
| metric | +String! | +
+
+The alert metric. Possible values are RESPONSE_LATENCY and TOTAL_TRAFFIC.
+
+ |
+|
| severity | +String! | +
+
+The severity level of the alert. Possible values are LOW, MEDIUM, and HIGH.
+
+ |
+|
| message | +String! | ++ +The alert details. + + | +|
Represents application details.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| id | +ID! | ++ +The Application ID. + + | +|
| name | +String! | ++ +The application name. + + | +|
| owner | +String! | ++ +The name of the application owner. + + | +|
Represents the response cache hits and misses for a single timestamp. The timestamp is calculated based on the +granularity value provided.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| hits | +Int! | ++ +The number of times the response cache was hit. + + | +|
| misses | +Int! | ++ +The number of times the response cache was missed. + + | +|
| hitPercentage | +Float! | ++ +The response cache hits as a percentage of the sum of hits and misses. + + | +|
Represents the response cache hits and misses over time.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| summary | +[CacheHit] | ++ +A list containing cache hits, misses, and the hit percentage over time. Returns an empty array if no data is +available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents the usage data overtime for the selected parameters of a specific groupByValue.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| groupByValue | +ID! | ++ +The distinct group-by value that is used as an ID. + + | +|
| usage | +[CustomReportUsage] | ++ +A list containing the usage values. This returns an empty array if no data is available. + + | +|
Represents usage data overtime for the selected parameters.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| usage | +[CustomReportUsage] | ++ +A list containing the usage values. This returns an empty array if no data is available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents usage data overtime for the selected parameters grouped by the top N groupByValues.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| usage | +[CustomReportGroupBy] | +
+
+A list containing the usage values grouped by the selected groupByField. This returns an empty array if no data is
+available.
+
+ |
+|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents usage data for a single timestamp in CustomReports.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| value | +Int! | ++ +The usage value (Hit Count/ Latency). + + | +|
Represents error details over time.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| usage | +[ErrorDetails]! | ++ +A list containing error details over time. Returns an empty array if no data is available. + + | +|
| pagination | +Pagination! | ++ +The pagination details. + + | +|
Represents an environment.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| id | +String! | ++ +The environment ID. + + | +|
| externalEnvId | +String! | ++ +The external environment ID. + + | +|
| internalEnvId | +String | ++ +The internal environment ID. + + | +|
| sandboxEnvId | +String | ++ +The sandbox environment ID. + + | +|
| name | +String! | ++ +The environment name. + + | +|
| type | +EnvironmentType! | +
+
+The environment type. A Choreo environment is labeled as CHOREO, a private Choreo environment is labeled as
+CHOREO_PRIVATE, and the on-premise environment is labeled as ON_PREM.
+
+ |
+|
Represents the number of errors from each category for a single timestamp. The timestamp is calculated according to the
+provided granularity value. If you select some categories, the error counts are retrieved only for those categories,
+and a null value is shown for the other categories that are not selected.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| auth | +Int | ++ +The count of authorization errors. + + | +|
| targetConnectivity | +Int | ++ +The count of target connectivity errors. + + | +|
| throttled | +Int | ++ +The count of throttling errors. + + | +|
| other | +Int | ++ +The count of other errors. + + | +|
Represents the error count for a single error status code.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| statusCode | +String! | ++ +The error status code. + + | +|
| count | +Int! | ++ +The error count. + + | +|
Represents the error count for each status code for a single API.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +ID! | ++ +The ID of the API. + + | +|
| errorCountByCode | +[ErrorCountByCode] | ++ +A list containing the error count for each error status code. Returns an empty array if no data is available. + + | +|
Represents details of an error for a single timestamp. The timestamp is calculated according to the granularity value +provided.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +ID | ++ +The ID of the API. + + | +|
| timeSpan | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| applicationId | +String | ++ +The Application ID. + + | +|
| applicationName | +String | ++ +The application name. + + | +|
| applicationOwner | +String | ++ +The name of the application owner. + + | +|
| reason | +String! | ++ +The reason for the error. + + | +|
| count | +Int! | ++ +The error count. + + | +|
Represents errors by the main status code (4xx or 5xx) and the total error count.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| _4xx | +Int | ++ +The number of client errors. + + | +|
| _5xx | +Int | ++ +The number of server errors. + + | +|
| total | +Int | ++ +The total number of client and server errors. + + | +|
Provides the unsuccessful usage (i.e., 4xx and 5xx response codes) summary across all APIs.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| summary | +[ErrorValue]! | ++ +A list containing unsuccessful usage values. Returns an empty array if no data is available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents the unsuccessful request count (i.e., 4xx and 5xx response codes) for a single timestamp. The timestamp
+is calculated based on the granularity value provided.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| errorCount | +Int | ++ +Represents the error request count. + + | +|
Represents the errors by category over time.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| errors | +[ErrorCountByCategory] | ++ +A list containing the error count for each error category over time. Returns an empty array if no data is available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents the error counts grouped by status code for each API.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| errors | +[ErrorCountByCodeForAPI]! | ++ +A list containing the error count for each status code for each API. Returns an empty array if no data is available. + + | +|
| pagination | +Pagination! | ++ +Pagination details. + + | +|
Represents the error category values (grouped as 4xx, 5xx, and total) for both proxy and target errors for a
+single timestamp. The timestamp is calculated based on the granularity value provided.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| proxy | +ErrorStatusCodeCategoryCounts | +
+
+Represents proxy-related errors categorized as client errors (4xx response codes) or server errors (5xx response
+codes), and the total of both categories.
+
+ |
+|
| target | +ErrorStatusCodeCategoryCounts | +
+
+Represents target-related errors categorized as client errors (4xx response codes) or server errors (5xx
+response codes), and the total of both categories.
+
+ |
+|
Represents latency values for each latency category for a single timestamp. The timestamp is calculated based on the +granularity value provided.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| response | +Int | ++ +The response latency (95th percentile) in milliseconds (ms). + + | +|
| backend | +Int | ++ +The backend latency (95th percentile) in milliseconds (ms). + + | +|
| requestMediation | +Int | ++ +The request mediation latency (95th percentile) in milliseconds (ms). + + | +|
| responseMediation | +Int | ++ +The response mediation latency (95th percentile) in milliseconds (ms). + + | +|
| responseMedian | +Int | ++ +The median (50th percentile) of the response latency in milliseconds (ms). + + | +|
| backendMedian | +Int | ++ +The median (50th percentile) of the backend latency in milliseconds (ms). + + | +|
| requestMediationMedian | +Int | ++ +The median (50th percentile) of the request mediation latency in milliseconds (ms). + + | +|
| responseMediationMedian | +Int | ++ +The median (50th percentile) of the response mediation latency in milliseconds (ms). + + | +|
Provides the latency summary.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| summary | +[LatencyValue]! | ++ +A list containing latency values. Returns an empty array if no data is available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents the latency value for a single timestamp. The timestamp is calculated according to the provided granularity +value.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| latencyTime | +Float! | ++ +Represents the latency (95th percentile) time in milliseconds (ms). + + | +|
Represents an organization.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| id | +String! | ++ +The organization ID. + + | +|
| uuid | +ID! | ++ +The organization UUID. + + | +|
| handle | +String! | ++ +The organization handle name. + + | +|
| name | +String! | ++ +The organization name. + + | +|
Represents the overall latency values.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| response | +Float | ++ +The response latency (95th percentile value) in milliseconds (ms). + + | +|
Represents pagination details.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| total | +Int! | ++ +The total number of results. + + | +|
| limit | +Int! | ++ +The number of items in the result set. + + | +|
| offset | +Int! | ++ +The offset value for the result set. + + | +|
| sortBy | +String! | ++ +The sorting column name of the result set. + + | +|
| sortOrder | +String! | +
+
+The sorting order of the result set. Possible values are asc and desc.
+
+ |
+|
Represents a platform.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| platform | +String! | ++ +The name of the platform. + + | +|
| count | +Int! | ++ +The usage of the platform. + + | +|
Represents API Provider details.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| name | +String! | ++ +The API provider name. + + | +|
Represents the usage of a single API resource.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +ID! | ++ +The ID of the API. + + | +|
| apiResourceTemplate | +String! | ++ +The API resource template. + + | +|
| apiMethod | +String! | ++ +The API method. + + | +|
| count | +Int! | ++ +The usage of the API resource. + + | +|
Represents API resource usages.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| usage | +[ResourceUsage] | ++ +A list with the usage of each API resource. Returns an empty array if no data is available. + + | +|
| pagination | +Pagination! | ++ +Pagination details. + + | +|
A slow API identified based on the response latency (95th percentile).
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +ID! | ++ +The ID of the API. + + | +|
| latency | +Int! | ++ +Represents the latency (95th percentile) time in milliseconds (ms). + + | +|
Represents API Subscriber details.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| name | +String! | ++ +The name of the API subscriber. + + | +|
Represents successful usages(that have resulted in the 2xx response code) of an API by an application.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +String! | ++ +The ID of the API. + + | +|
| apiName | +String! | ++ +The name of the API. + + | +|
| apiVersion | +String! | ++ +The version of the API. + + | +|
| apiCreatorTenantDomain | +String! | ++ +The tenant domain of the API creator. + + | +|
| applicationId | +String! | ++ +The application ID. + + | +|
| applicationName | +String! | ++ +The name of the application. + + | +|
| applicationOwner | +String! | ++ +The name of the application owner. + + | +|
| count | +Int! | ++ | |
Provides the successful (2xx response code) usage summary across all the APIs.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| summary | +[SuccessValue]! | ++ +A list containing successful usage values. Returns an empty array if no data is available. + + | +|
| granularity | +String! | ++ +The granularity value for which data is retrieved. + + | +|
Represents the successful request count (i.e., requests that have received the 2xx response code) for a single
+timestamp. The timestamp is calculated according to the granularity value provided.
| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| timeSpan | +String! | +
+
+Represents a timestamp value that is calculated based on the specified granularity value. For example, if the
+granularity value is 1d, the timestamp represents the start of the day calculated adhering to the timezone
+provided in the time filter.
+e.g., timeSpan: '2021-06-21T00:00:00.0000000+05:30'
+
+ |
+|
| requestCount | +Int! | ++ +Represents the successful request count. + + | +|
Represents a top API by alert count.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| apiId | +ID! | ++ +The ID of the API. + + | +|
| count | +Int! | ++ +The alert count. + + | +|
Represents the top APIs by alert count.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| usage | +[TopAPIByAlertCount] | ++ +A list containing top APIs by alert count. Returns an empty array if no data is available. + + | +|
| pagination | +Pagination! | ++ +The pagination details. + + | +|
Represents the total errors.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| proxy | +Int | ++ +The proxy-related error count. + + | +|
Represents the usage of a single API in a single country.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| country | +String! | ++ +The name of the country. + + | +|
| count | +Int! | ++ +The usage of the API. + + | +|
Represents a user agent.
+| Field | +Argument | +Type | +Description | +
|---|---|---|---|
| userAgent | +String! | ++ +The name of the user agent. + + | +|
| count | +Int! | ++ +The usage of the user agent. + + | +|
Filters the API usage by application results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiIds | +[String] | ++ +The results are filtered for the list of APIs you specify here. A maximum of five API IDs can be defined. + + | +|
| appIds | +[String] | ++ +The results are filtered for the list of applications you specify here. A maximum of five application IDs can be +defined. + + | +|
| subscribers | +[String] | ++ +The results are filtered for the list of subscribers you specify here. A maximum of five subscriber IDs can be +defined. + + | +|
Filters the results for API usage by backend over time.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiIds | +[String] | ++ +The results are filtered for the list of APIs you specify here. A maximum of five API IDs can be defined. + + | +|
| granularity | +String | +
+
+The granularity value that is used for data retrieval. If the granularity value is not set, the default granularity
+for the related time range is applied. The possible granularity values that you can specify are 1m, 15m, 1h,
+1d, and 7d.
+
+ |
+|
Filters the results for API usage over time.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiIds | +[String] | ++ +The results are filtered for the list of APIs you specify here. A maximum of five API IDs can be defined. + + | +|
| appIds | +[String] | ++ +The results are filtered for the list of applications you specify here. A maximum of five application IDs can be +defined. + + | +|
| granularity | +String | +
+
+The granularity value that is used for data retrieval. If the granularity value is not set, the default granularity
+for the related time range is applied. The possible granularity values that you can specify are 1m, 15m, 1h,
+1d, and 7d.
+
+ |
+|
Filters the alerts summary results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| paginationFilter | +PaginationFilter | ++ +The pagination filter. + + | +|
| searchFilter | +SearchFilter | ++ +The search filter. + + | +|
| apiIds | +[String] | ++ +The results are filtered for the list of APIs you specify here. A maximum of five API IDs can be defined. + + | +|
| category | +String | +
+
+The alert category by which the results need to be filtered. The available categories to select are TRAFFIC and
+LATENCY.
+
+ |
+|
Filters applications by the application owner and API IDs.
+| Field | +Type | +Description | +|
|---|---|---|---|
| owner | +String | ++ | |
| apiIds | +[String] | ++ +The results are filtered for the list of APIs you specify here. A maximum of five API IDs can be defined. + + | +|
Filters response cache results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiId | +String | ++ +The results are filtered by the API ID specified here. + + | +|
| granularity | +String | +
+
+The granularity value that is used for data retrieval. If the granularity value is not set, the default granularity
+for the related time range is applied. The possible granularity values that you can specify are 1m, 15m, 1h,
+1d, and 7d.
+
+ |
+|
Filters results by the given combination of organization, environment, and tenant.
+| Field | +Type | +Description | +|
|---|---|---|---|
| orgId | +String! | ++ +The organization by which the results need to be filtered. It is required to specify a value for this parameter. + + | +|
| environmentId | +String | ++ +The environment ID by which the results need to be filtered. It is required to specify a value for this parameter. + + | +|
| environmentIds | +[String] | ++ +The environment IDs by which the results need to be filtered. It is required to specify a value for this parameter. + + | +|
| tenant | +String! | ++ +The name of the tenant by which the results need to be filtered. It is required to specify a value for this +parameter. + + | +|
| projectId | +String | ++ +The project ID by which the results need to be filtered. It is optional to specify a value for this +parameter. Note that providing a project ID with an on-prem key is not allowed. + + | +|
Filters results related to devices.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiIds | +[String] | ++ +The results are filtered for the list of APIs you specify here. A maximum of five API IDs can be defined. + + | +|
Filters errors by status code results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiId | +String | ++ +The results are filtered by the API ID specified here. + + | +|
| errorType | +ErrorType! | ++ +The type of the error. It is required to specify a value for this parameter. + + | +|
| errorCodeType | +ErrorCodeType | +
+
+The error code type. If this parameter is not configured, both client-related error response codes (401, 404,
+etc.) and server-related response codes (500, 501, etc.) are included in the result set.
+
+ |
+|
| paginationFilter | +PaginationFilter | ++ +The pagination filter. + + | +|
Filters errors by category results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiId | +String | ++ +The ID of the API. + + | +|
| categories | +[String] | +
+
+The list of categories by which the results need to be filtered. Category values that you can specify here are
+AUTH, TARGET_CONNECTIVITY, THROTTLED, and OTHER.
+
+ |
+|
| granularity | +String | +
+
+The granularity value that is used for data retrieval. If the granularity value is not set, the default granularity
+for the related time range is applied. The possible granularity values that you can specify are 1m, 15m, 1h,
+1d, and 7d.
+
+ |
+|
Filters errors by status code results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiId | +String | ++ +The results are filtered by the API ID specified here. + + | +|
| granularity | +String | +
+
+The granularity value that is used for data retrieval. If the granularity value is not set, the default granularity
+for the related time range is applied. The possible granularity values that you can specify are 1m, 15m, 1h,
+1d, and 7d.
+
+ |
+|
Filters the results for error details.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiId | +String | ++ +The results are filtered by the API ID specified here. + + | +|
| appId | +String | ++ +The application ID by which the results need to be filtered. + + | +|
| category | +String | +
+
+The error category by which the results need to be filtered. The error category that you can specify here must be
+one of the AUTH TARGET_CONNECTIVITY, THROTTLED, and OTHER values.
+
+ |
+|
| granularity | +String | +
+
+The granularity value that is used for data retrieval. If the granularity value is not set, the default granularity
+for the related time range is applied. The possible granularity values that you can specify are 1m, 15m, 1h,
+1d, and 7d.
+
+ |
+|
| paginationFilter | +PaginationFilter | ++ +The pagination filter. + + | +|
| searchFilter | +SearchFilter | ++ +The search filter. + + | +|
Filters the API usage by geolocation results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiIds | +[String] | ++ +The results are filtered for the list of APIs you specify here. + + | +|
Filters latency results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiId | +String! | ++ +The results are filtered by the API ID specified here. It is required to specify a value for this parameter. + + | +|
| granularity | +String | +
+
+The granularity value that is used for data retrieval. If the granularity value is not set, the default granularity
+for the related time range is applied. The possible granularity values that you can specify are 1m, 15m, 1h,
+1d, and 7d.
+
+ |
+|
Filters latency summary results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiId | +String | ++ +The results are filtered by the API ID specified here. + + | +|
| granularity | +String | +
+
+The granularity value that is used for data retrieval. If the granularity value is not set, the default granularity
+for the related time range is applied. The possible granularity values that you can specify are 1m, 15m, 1h,
+1d, and 7d.
+
+ |
+|
Filters results for the given organization.
+| Field | +Type | +Description | +|
|---|---|---|---|
| orgId | +String! | ++ +The ID of the organization by which the results need to be filtered. It is required to specify a value for this +parameter. + + | +|
Filters related to pagination.
+| Field | +Type | +Description | +|
|---|---|---|---|
| limit | +Int | ++ +The total number of rows in the result set. This value must be a positive integer. If this limit value is not set, +the total number of rows is five by default. + + | +|
| offset | +Int | +
+
+The offset value to set when filtering results. This value must be zero or a positive integer. If you do not specify
+an offset value, the default offset value (i.e., 0) applies.
+
+ |
+|
| sortBy | +String | +
+
+The column name by which the results are sorted. If the sortBy value is not set, the default column of the related
+operation that is available for sorting purposes is used.
+
+ |
+|
| sortOrder | +String | +
+
+The order in which the results are sorted. Possible values are asc (to sort in ascending order) and desc (to
+sort in descending order). If no value is specified, the results are sorted in ascending order by default (except
+for count-specific operations such as getTopAPIsByAlertCount where the results are always sorted in descending
+order).
+
+ |
+|
Filters resource usage results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| paginationFilter | +PaginationFilter | ++ +The pagination filter. + + | +|
| searchFilter | +SearchFilter | ++ +The search filter. + + | +|
Filters results by searching matching results for the provided search text.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiIds | +[String] | ++ +The list of API IDs that need to be searched with the given search text. Note that it is not possible to define API +IDs without a search text in the search filter. + + | +|
| searchText | +String! | ++ +Text which needs to be searched among the results. It is required to specify a value for this parameter. + + | +|
Filters the subscriber results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiIds | +[String] | ++ +The results are filtered for the list of APIs you specify here. A maximum of five API IDs can be defined. + + | +|
Filters successful API usage by application results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| apiIds | +[String] | ++ +The list of API IDs by which the results need to be filtered. + + | +|
| tenantDomains | +[String] | ++ +The tenant domain name by which the results need to be filtered. + + | +|
Filters results by the tenant.
+| Field | +Type | +Description | +|
|---|---|---|---|
| orgId | +String! | ++ +The ID of the organization by which the results need to be filtered. It is required to specify a value for this +parameter. + + | +|
| envId | +String | ++ +The ID of the environment by which the results need to be filtered. It is required to specify a value for this +parameter. + + | +|
| environmentIds | +[String] | ++ +The environment IDs by which the results need to be filtered. It is required to specify a value for this parameter. + + | +|
Filters results by the provided date range.
+| Field | +Type | +Description | +|
|---|---|---|---|
| from | +String! | +
+
+The start date of the time range. The date specified here must be a date earlier than the date specified via the
+to parameter. If the defined date and time entry do not have a timezone, the UTC time zone (z) is used. It is
+required to specify a value for this parameter.
+e.g., '2021-08-16T12:00:00.000+05:30'.
+
+ |
+|
| to | +String! | +
+
+The end date of the time range. The date specified here must be a date later than the date specified via the from
+parameter. If the defined date and time entry do not have a timezone, the UTC time zone (z) is used. It is
+required to specify a value for this parameter.
+e.g., '2021-08-16T12:30:00.000+05:30'.
+
+ |
+|
Filters the top APIs by alert count results.
+| Field | +Type | +Description | +|
|---|---|---|---|
| paginationFilter | +PaginationFilter | ++ +The pagination filter. + + | +|
| searchFilter | +SearchFilter | ++ +The search filter. + + | +|
Represents an error type.
+| Value | +Description | + + +
|---|---|
| CHOREO | ++ +The Choreo environments. + + | +
| CHOREO_PRIVATE | ++ +The private data-plane Choreo environments. + + | +
| ON_PREM | ++ +The On-Premise environments. + + | +
Represents an error code type.
+| Value | +Description | + + +
|---|---|
| _4XX | ++ +The client-side errors. + + | +
| _5XX | ++ +The server-side errors. + + | +
Represents an error type.
+| Value | +Description | + + +
|---|---|
| PROXY | ++ +The proxy-related errors. + + | +
| TARGET | ++ +The target-related errors. + + | +
Represents an groupByField used in CustomReports.
| Value | +Description | + + +
|---|---|
| API_NAME | ++ +The API name. + + | +
| API_VERSION | ++ +The API version. + + | +
| API_RESOURCE_TEMPLATE | ++ +The API resource template. + + | +
| API_METHOD | ++ +The API method. + + | +
| API_CREATOR | ++ +The API creator. + + | +
| APPLICATION_NAME | ++ +The name of the application. + + | +
| APPLICATION_OWNER | ++ +The owner of the application. + + | +
| DESTINATION | ++ +The destination. + + | +
| USER_AGENT | ++ +The user Agent. + + | +
| PLATFORM | ++ +The platform. + + | +
| TARGET_RESPONSE_CODE | ++ +The target response code. + + | +
Represents a metric used in CustomReports.
| Value | +Description | + + +
|---|---|
| HIT_COUNT | ++ +The number of API calls. + + | +
| RESPONSE_CACHE_HIT | ++ +The number of API calls that used the response cache. + + | +
| REQUEST_MEDIATION_LATENCY | ++ +The request mediation latency. + + | +
| RESPONSE_MEDIATION_LATENCY | ++ +The response mediation latency. + + | +
| BACKEND_LATENCY | ++ +The backend latency. + + | +
| TOTAL_LATENCY | ++ +The total latency. + + | +
| API_ERRORS | ++ +The number of hits for which API errors are returned. + + | +
| TARGET_ERRORS | ++ +The number of hits for which target errors are returned. + + | +
The Boolean scalar type represents true or false.
The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.
The ID scalar type represents a unique identifier, often used to re-fetch an object or as the key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value is accepted as an ID.
The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
"===l.slice(0,3)?"
"+c+l.slice(3):c+l)+"