OAuth with Rest

Hi Everyone,

I am trying to learn/explore OAuth in webMethods.

I have configured OAuth client, scope in webMethods and associated socope with client.

I am able to successfully generate access & refresh tokens using built-in services in pub.Oauth package.

I was able to successfully test OAuth on a SOAP service (where a flow service was exposed as SOAP service in webMethods). I was able to execute SOAP Service using generated OAuth token.

However I am unable to test OAuth with a REST service (where a flow service is exposed as a REST resource in webMethods) when I use enable bearer token in PostMan to access the resource service (which is a flow service in IS actually) then I am getting following error in postman:

error_description=[ISS.0010.8046] Integration Server
rejected the request to access this resource.
The access token’s scope is insufficient to access the resource.

I have also tried


but this didn’t help.

May be I am not correctly adding rest service in scope that is associated with OAuth client. Can someone please guide me how can I add REST service correctly in scope?

Should I try to add folder or flow service in scope? or should I use url template option in scope instead?

Suppose the rest url that I am trying to hit via postman is following:

then how can I add this url in scope? Should I specify url in template or do I need to add folder etc (in which RAD exists or flow service exists)?

and if have to add this in scope as URL Template … then how can I create URL template for this service ?


Hello @mhaseeb.tariq ,

Please see if this tech community link helps.
Implementing OAuth using webMethods Integration Server - Knowledge base - Software AG Tech Community & Forums

1 Like

Hi Muhammad Haseeb,

Could you please tell me, in which version you are trying to invoke RestApi with Oauth.
Also, can you share screenshot of Scope Management Page and share the package

Hi Priya,

am using webMethods 10.11.
Screenshots of scope and package is attached below.
Its not working for rest but working perfect for soap.
do I need to add something else in scope ?
or if I had to add URL template please guide how can I add url template for this rest.
please guide @Priya_Gupta


Hi Muhammad Haseeb,

To invoke REST APIs, you have to create REST API descriptors.

Please follow the below steps:

  1. Create Rest API descriptor using restv2 resource
  2. Add the security definition into the security definition tab. (PFA for Adding Security Definition).
  3. Apply the security to the operation (PFA to apply security scheme to the operation)

At step 3, once the security is applied on the operation, scope will get autogenerated in IS Admin UI (Security > OAuth > Scope Management). PFA for Scope Management.

Detailed Information about the URL template

Integration Server generates the URLs automatically while creating the REST API descriptor
based on the Swagger document, then Integration
Server adds a default URL template as _/. For example,
GET_RadNamesSpace/employee. You can also modify this template; however, when
Integration Server re-generates the RAD using the same Swagger document, then it overrides the template as the default URL template

REST Request : /rad/namespace_of_rad/URL template of resource

Add Security Definition

Add Security Scheme to Operation

Scope Management




Thanks @Priya_Gupta, your contribution was very helpful and it solved my issue.

I have a question here. Do we always need to define a RAD for REST resource in order to enable OAuth on that REST resource?

For example, If I have exposed 3 different flow services as REST resource and I want to enable OAuth on all three of them (suppose each REST resource is for 1 specific client) then do I need to define three different RAD (one for each REST resource) to enable OAuth? Or can we do it without RAD as well? For example, can we specify “restv2” base path specific url in OAuth scope instead of RAD specific url in scope template?

This query might be lack of my knowledge about webMethods but I was curious to find out if RAD is necessary for enabling OAuth on REST resource?

Hi Muhammad Haseeb,

Software AG recommends that you create REST API descriptors, if you want to expose existing services using REST and wanted to use security mechanism to invoke the Rest API.

1 Like

Thanks @Priya_Gupta

1 Like

Hi Priya,

I’ve created one flow service that creates access token. Service is running fine manually and
and creates access token.

When i try to use it in restV2. it is giving me below error.

[301]2022-12-08 20:29:46 IST [ISS.0053.0002C] (tid=367) Access denied for user Administrator on port 5555 → ‘restv2/genToken’ from 0:0:0:0:0:0:0:1.

I’ve also tried it with rest descriptor with adding security in both ways which are basic outh and oauth with respective scope.

The service is working fine with soap. It is generating token.

With this token i’ve tried to invoke restV2 test service with creating rest descriptor and adding security.

Error is same [306]2022-12-08 20:37:11 IST [ISS.0053.0002C] (tid=367) Access denied for user bearer on port 5555 → ‘restv2/patient/’ from 0:0:0:0:0:0:0:1.

restv2/patient service is running fine without token with basic auth.

Requesting you to provide solution to this if any.

Hy @yashraj.makwana

I believe there a problem with your end point, in case of Rest-Descriptor, you dont have to add /restv2/ in endpoint url.

as per error log you provided :

Error is same [306]2022-12-08 20:37:11 IST [ISS.0053.0002C] (tid=367) Access denied for user bearer on port 5555 → ‘restv2/patient/’ from 0:0:0:0:0:0:0:1.

Try like this using Rest API descriptor as described above by priya.

REST Request : /rad/namespace_of_rad/URL template of resource

Actual Request : localhost:555/rad/test:RAD/emp/f1 (as per package structure in above Screenshot)

/rad/ is not the name of rad here … its like /restv2/your_endpoint || /rad/PackageName:RadName/

For Example If you have package named as RestPkg & and Rest Descriptor named as Rad1 inside the root folder. URL will be as following




It is working this way. Thanks.


What will be the step when webMethods is the calling service or for the outbound messages going to external systems or cloud?

For invoking service on external systems, its better and much easier to have swagger document(if provided for the service) imported in IS as Rest API Descriptors.
IS will generate connector services for all the APIs defined in swagger documents. These connectors services will have well defined signature for parameters, body and Authentication parameters. Invoking these connectors with appropriate inputs.


1 Like