fix broken links under api security.

Author: dushaniw

en/docs/api-security/key-management/authentication/grant-types/client-credentials-grant.md

@@ -103,4 +103,4 @@ If you want to **disable the Client Credentials grant type** in the API-M instan
 
 ### Refresh Token grant type - supported or not
 
-The Client Credentials grant type **does not support** the Refresh Token grant type. This grant type does not issue a refresh token which can be used to obtain new access tokens using the [refresh token grant]({{base_path}}/learn/api-security/oauth2/grant-types/refresh-token-grant/).
+The Client Credentials grant type **does not support** the Refresh Token grant type. This grant type does not issue a refresh token which can be used to obtain new access tokens using the [refresh token grant]({{base_path}}/api-security/key-management/authentication/grant-types/refresh-token-grant/).

en/docs/api-security/key-management/authentication/grant-types/refresh-token-grant.md

@@ -6,7 +6,7 @@ The refresh token grant can be used when the current access token is expired or
 
     This refresh token needs to be kept private, similar to the access token. When using this token, keep in mind that it issues the access token without a user interaction.
 
-#### Flow
+## Flow
 
 After an access token is generated, sometimes you might have to renew the old token due to expiration or security concerns. You can renew an access token using a refresh token, by issuing a REST call to the Token API with the following parameters.
 A refresh token has to be obtained before using it with a grant type such as the authorization code or password grant type. Using the obtained refresh token, you can obtain a new access token along with a renewed refresh token without having to go through any other additional steps.
@@ -22,7 +22,7 @@ The diagram below illustrates the refresh token grant flow.
       - [Option 1](#option-1)
       - [Option 2](#option-2)
 
-### Generating a new access token and refresh token
+## Generating a new access token and refresh token
 
 To use this grant type, you need a refresh token, using which you can get a new access token and a refresh token. This can be done by issuing a REST call to the Token API through a REST client like cURL, with the following parameters:
 
@@ -70,11 +70,11 @@ The above REST response grants you a renewed access token along with a refresh t
     refresh_token_validity = 3600
 ```
 
-### Revoking a refresh token
+## Revoking a refresh token
 
 After issuing an access token and refresh token, a user or an admin can revoke it in case of theft or a security violation. You can do this by calling the Revoke API using a utility like cURL. The Revoke API's endpoint URL is <https://localhost:9443/oauth2/revoke>.
 
-#### Option 1
+### Option 1
 
 The parameters required to invoke the following API are as follows:
 
@@ -118,7 +118,7 @@ The parameters required to invoke the following API are as follows:
 < Server: WSO2 Carbon Server
 ```
 
-#### Option 2
+### Option 2
 
 The parameters required to invoke the following API are as follows:
 

en/docs/api-security/key-management/key-manager-overview.md

@@ -163,7 +163,7 @@ For deployments with millions of users and high token generation rates, consider
 - Need to reduce database load and improve TPS (Transactions Per Second)
 
 ### Choose Grant Types Based on Application Architecture
-Map [OAuth2 grant types]({{base_path}}/api-security/keymanagement/authentication/grant-types/overview/) to your application types: use client credentials for service-to-service, authorization code for web applications, and password grant only for highly trusted internal applications. Avoid the implicit grant type in production environments.
+Map [OAuth2 grant types]({{base_path}}/api-security/key-management/authentication/grant-types/overview/) to your application types: use client credentials for service-to-service, authorization code for web applications, and password grant only for highly trusted internal applications. Avoid the implicit grant type in production environments.
 
 ### Implement Comprehensive Scope Management
 Use [OAuth2 scopes]({{base_path}}/api-security/runtime/authorization/oauth2-scopes/fine-grained-access-control-with-oauth-scopes/) to implement fine-grained access control from the beginning. Design your scope hierarchy to match your API resource structure and business permissions. Implement scope whitelisting to prevent privilege escalation.

en/docs/api-security/key-management/third-party-key-managers/overview.md

@@ -27,4 +27,3 @@ Organizations can configure multiple Key Managers within a single tenant, allowi
 ### Custom Integration
 - **[Custom Key Manager]({{base_path}}/api-security/key-management/third-party-key-managers/configure-custom-connector/)**: Build connectors for proprietary authorization servers
 - **[Global Key Manager]({{base_path}}/api-security/key-management/third-party-key-managers/configure-global-key-manager/)**: Cross-tenant key manager configuration
-- **[Application Scopes]({{base_path}}/api-security/key-management/third-party-key-managers/application-scopes/)**: Fine-grained application scope management

en/docs/api-security/key-management/tokens/encrypting-oauth2-tokens.md

@@ -37,6 +37,6 @@ Follow the steps below to enable OAuth2 token encryption
     !!! tip
 
         -   If you use a [Distributed API Manager setup]({{base_path}}/install-and-setup/deploying-wso2-api-manager/distributed-deployment/understanding-the-distributed-deployment-of-wso2-api-m) , the changes must be made on both the Developer Portal and Key Manager nodes.
-        -   If you use WSO2 Identity Server [(WSO2 IS) as the Key Manager setup]({{base_path}}/install-and-setup/deploying-wso2-api-manager/ThirdPartyKeyManager/configuring-wso2-identity-server-as-a-key-manager/) , you need to make changes in both WSO2 IS and WSO2 API Manager.
+        -   If you use WSO2 Identity Server [(WSO2 IS) as the Key Manager setup]({{base_path}}/api-security/key-management/third-party-key-managers/configure-wso2is-connector/) , you need to make changes in both WSO2 IS and WSO2 API Manager.
 
 

en/docs/api-security/key-management/tokens/token-expiration.md

@@ -8,7 +8,7 @@ Application access tokens have a fixed expiration time, which is set to 60 minut
     token_validation.app_access_token_validity = 10000
 ```
 
-For more information about changing the default token expiration time, see [Changing the Default Token Expiration Time](../../../consume/manage-application/generate-keys/obtain-access-token/changing-the-default-token-expiration-time/).
+For more information about changing the default token expiration time, see [Changing the Default Token Expiration Time]({{base_path}}/api-developer-portal/manage-application/generate-keys/obtain-access-token/changing-the-default-token-expiration-time).
 
 Also take the **time stamp skew** into account when configuring the expiration time. The time stamp skew is used to manage small time gaps in the system clocks of different servers. For example, let's say you have two Key Managers and you generate a token from the first one and authenticate with the other. If the second server's clock runs 300 seconds ahead, you can configure a 300s time stamp skew in the first server. When the first Key Manager generates a token (e.g., with the default life span, which is 3600 seconds), the time stamp skew is deducted from the token's life span. The new life span is 3300 seconds and the first server calls the second server after 3200 seconds.
 

en/docs/api-security/runtime/authorization/api-authorization.md

@@ -4,4 +4,6 @@ Nowadays, most of the enterprise applications are built with a collection of RES
 
 - [Fine Grained Access Control Using Scopes]({{base_path}}/api-security/runtime/authorization/oauth2-scopes/fine-grained-access-control-with-oauth-scopes/)
 
-- [Fine Grained Access Control Using XACML]({{base_path}}/api-security/runtime/authorization/role-based-access-control-using-xacml/)
+- [Fine Grained Access Control Using XACML]({{base_path}}/api-security/runtime/authorization/role-based-access-control-using-xacml/)
+
+- [Fine Grained Access Control Using Application Scopes]({{base_path}}/api-security/runtime/authorization/oauth2-scopes/application-scopes/)

…party-key-managers/application-scopes.md …tion/oauth2-scopes/application-scopes.mden/docs/api-security/key-management/third-party-key-managers/application-scopes.md renamed to en/docs/api-security/runtime/authorization/oauth2-scopes/application-scopes.md en/docs/api-security/key-management/third-party-key-managers/application-scopes.md renamed to en/docs/api-security/runtime/authorization/oauth2-scopes/application-scopes.md

@@ -79,7 +79,7 @@ For more information on WSO2 API Manager, see the [overview]({{base_path}}/get-s
 
     Application scopes provide fine-grained control over permissions at the application level, enhancing security and flexibility. These scopes are configured as allowed scopes for specific applications and can only be selected from the subscribed scopes (scopes available from all subscribed APIs).
 
-     **[Learn more]({{base_path}}/api-security/key-management/third-party-key-managers/application-scopes/)** 
+     **[Learn more]({{base_path}}/api-security/runtime/authorization/oauth2-scopes/application-scopes/)** 
 
 ## Improvements
 

en/docs/get-started/about-this-release.md

@@ -385,6 +385,7 @@ nav:
                 - Overview: api-security/runtime/authorization/api-authorization.md
                 - Role-based Access Control Using XACML: api-security/runtime/authorization/role-based-access-control-using-xacml.md
                 - Fine Grained Access Control with OAuth Scopes: api-security/runtime/authorization/oauth2-scopes/fine-grained-access-control-with-oauth-scopes.md
+                - Application Scopes: api-security/runtime/authorization/oauth2-scopes/application-scopes.md
                 - Scope Whitelisting: api-security/runtime/authorization/oauth2-scopes/scope-whitelisting.md
             - API Request Response Schema Validation:
                 - JSON Schema Validator: api-security/runtime/api-request-response-schema-validation/json-schema-validator.md
@@ -429,7 +430,6 @@ nav:
                 - Configure a Custom Key Manager: api-security/key-management/third-party-key-managers/configure-custom-connector.md
                 - Configure the Global Key Manager: api-security/key-management/third-party-key-managers/configure-global-key-manager.md
                 - Configure the Azure AD as a Key Manager: api-security/key-management/third-party-key-managers/configure-azure-ad-key-manager.md
-                - Application Scopes: api-security/key-management/third-party-key-managers/application-scopes.md
 
     - API Gateway:
         - Universal Gateway: