As per my understanding, we generate access tokens for Applications are they are tied to Applications. When I access the API from multiple devices, I get a wired behavior (not sure whether it's the correct/ expected behavior. When I logout from one device I'm not able to access my APIs from any other devices without generating a new token.
Is this is the expected behavior? If so, how do we preserve the token across multiple devices?
Yes, you are correct, and this is the expected behaviour. According to the WSO2 API Manager architecture, if we log out from one device and revoke the access token, then all the calls made with that token thereafter will fail. If we allow users to have multiple tokens in parallel, that will cause security-related issues, and finally, users will end up having so many tokens that the user cannot even maintain.
Assuming you are using Password Grant, the best way to handle this is via the client application. We need to make the client application aware of error responses sent from the API Manager Gateway. And use the refresh token Approach. When you request a user token, you will get a refresh token along with the token response so that you can use that for refreshing the access token.
For more information, please refer to this best practice guide - https://apim.docs.wso2.com/en/latest/reference/guides/accessing-api-manager-by-multiple-devices-simultaneously/
The best option in this case is to generate an access token per device. We have a guide here - https://apim.docs.wso2.com/en/latest/consume/manage-application/generate-keys/obtain-access-token/access-tokens-per-device/#generating-access-tokens-per-device
curl -k -d"grant_type=password&username=<username>&password=<password>&scope=device_ipad"-H"Authorization :Basic base64encode(consumer-key:consumer-secret), Content-Type: application/x-www-form-urlencoded"https://localhost:9443/oauth2/token
