IBM webMethods Hybrid Integration

IBM webMethods Hybrid Integration

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.


#TechXchangePresenter
 View Only

Public vs. Private Invocation for webMethods Integration Flow Services (SaaS)

By Wayne Leishman posted 28 days ago

  

A useful feature in IBM webMethods Integration (SaaS), part of the IBM webMethods Hybrid Integration (IWHI) platform, is the ability to toggle a Flow Service or API between public and private invocation. 

When you open a Flow Service in your tenant and navigate to Overview → Configuration, you’ll find a setting called Private Invocation. This toggle controls which URLs are exposed and who can invoke the service.

A screenshot of a computer AI-generated content may be incorrect.

A screenshot of a computer AI-generated content may be incorrect.

OR, if you are working with APIs in webMethods Integration, you toggle between public and private as shown below.

Public Invocation

When Private Invocation is disabled, the Flow Service or API exposes endpoints that can be invoked from outside the IWHI environment (authentication still applies).

URLs shown in Public Invocation mode

  • Public URL (HTTPS)
    • A publicly accessible endpoint for the Flow Service or API.
    • It can be invoked from tools like Postman or curl, partner systems, mobile/web apps, and any internet-based client.
    • It routes through the platform’s public ingress.
    • It’s ideal for development, prototyping, or quick external access.
  • Internal URL (HTTP)
    • A runtime endpoint inside the IWHI environment.
    • This URL is intended for service-to-service calls.
    • It is not exposed to the public internet.

Typical uses

  • Direct testing or debugging with Postman
  • Quick prototyping of a Flow Service
  • Temporary external access before wrapping the service in an API

Here is a Flow Service that allows public access:

A screenshot of a computer AI-generated content may be incorrect.

Here's an API that allows Public access:

While convenient, using public invocation for production is not recommended, clients can bypass your API management layer (security, analytics, rate limiting) when calling the Flow Service directly.

Private Invocation

When Private Invocation is enabled, the public URL is removed, and the Flow Service or API restricts access to internal, tenant-scoped endpoints only.

URLs shown in Private Invocation mode

  • Private URL (HTTPS)
    • An internally scoped HTTPS endpoint.
    • Intended for use by trusted components of your integration architecture (for example, management layers such as API Gateway or API Connect).
    • It routes through the platform’s private ingress.
  • Internal URL (HTTP)
    • A service-mesh endpoint inside the IWHI runtime.
    • Used for internal integration traffic.
    • Depending on your architecture, API management layers may also call this endpoint.
    • It is not reachable from outside the tenant.

Typical uses

  • Exposing a Flow Service only through an API layer (API Connect or webMethods API Gateway)
  • Having an internal backend service where direct public access is not allowed
  • Building services exclusively for internal integration logic

Here is a Flow Service that only allows private invocation:

A screenshot of a computer AI-generated content may be incorrect.

Here's an API in webMethods Integration that only allows Private access:

Benefits of Private Invocation

  • External access must go through an API layer that enforces security, rate limits, monitoring, and analytics
  • Reduces attack surface because the Flow Service or API is not publicly reachable
  • Aligns with enterprise integration and governance patterns

When to Allow Public Invocation

Public invocation remains useful for early-stage development:

  • You can call the Flow Service or API directly from Postman or other test clients without first creating an API
  • It accelerates prototyping and debugging

However, once the Flow Service and/or API is part of a larger integration architecture or production API, switching to Private Invocation is the better practice.

Summary

The toggle between public and private invocation is an important feature of webMethods Integration (SaaS).

  • Public Invocation: Exposes a Flow Service or API for direct external access - great for development and testing.
  • Private Invocation: Removes direct public access, forcing all access through controlled API or internal endpoints -à ideal for production and secure integration scenarios.

Reminder: You can change this setting at any time from the Flow Service’s Overview page (if exposing Flow Services directly), or from the APIs tab, within your webMethods Integration project (if using APIs).

A screenshot of a computer AI-generated content may be incorrect.

If using APIs within webMethods Integration:

References

Private Service Access Documentation
https://www.ibm.com/docs/en/wm-integration-ipaas?topic=services-private-service-access
This page explains how to enable private service access for Flow Services, what the setting does, and how it restricts invocation to components inside your tenant.

Flow Service Overview & Configuration
https://www.ibm.com/docs/en/wm-integration-ipaas?topic=managing-working-flow-services
This page covers general Flow Service management, including where to find the Overview settings, how to configure invocation, and how to test Flow Services

Note: at the time of this article I did not find the documentation for setting APIs in webMethods Integration to public/private. This article covers where and how to do it. The concepts of public versus private are the same.

0 comments
16 views

Permalink

https://community.ibm.com/community/user/blogs/wayne-leishman/2025/11/20/public-vs-private-invocation-for-webmethods-integr