On the 3rd step of editing APIs in WSO2 API Cloud, you can set required authentication type for each resource: We have already covered None as the option to allow invoking APIs without any authentication whatsoever. Today we will discuss the other options. Application type means that the API will require OAuth tokens generated with client grant type. That grant type produces tokens specific to the subscription but not the end-users. So if there is a web- or mobile application that subscribed to this API and it has multiple end-users, they will all be sharing the same token and the API backend will not "know" which end-user is invoking the API: Application User type means that the API accepts OAuth tokens generated with password grant type. These tokens are specific to the end-user - they require not just the application key but also end-user's username and password. In this case, each end-user gets their own OAuth tokens even though they are using the same API subscription. API Gateway then generates a JWT token and uses it to pass application and user information to the API backend: Application and Application User type means that both kinds of tokens are acceptable by the API.