Use the API Key Authenticator policy to authenticate a client by using API keys passed as a header or query parameter.
All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.
Policy Execution Order
The API Key Authenticator Policy executes after early stage request validation policies, like IP Restriction.
|Multiexcerpt include macro|
|Parameter Name||Description||Default Value||Example|
|Label||Required. The name for the API policy.||API Key Authenticator||Project API Key|
When this policy should be applied
An expression enabled field that determines the condition to be fulfilled for the API policy to execute.
For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.
|N/A||request.method == “POST”|
Required. The API keys that a user can use for authenticating a client. Click + to add multiple API keys.
Required. A description of the owner of the key.
Required. The API key itself. This should be a long, randomly generated string.
Required. The list of roles to assign clients that use this key.
The API key's expiration date.
Required. Specifies the location to find the key. If one of the given locations is not found, this API policy passes the request through to the next API policy.
Custom Header Keys
The names of the headers that can contain the key. If more than one header is given, they are all checked. Click + to add header keys.
|Key||The name of the header containing the key.||N/A||X-API-Key|
|Custom Query String Parameter Keys|
The names of the query parameters that can contain the key. If more than one name is given, then all names are checked. Click + to add header keys.
|Key||The name of the query string parameter key.||N/A||token|
Authorization Header Type
If the key is in the Authorization header, this value is used as the “type” to check.
Specifies whether the API policy is enabled or disabled.
Avoid passing sensitive information in query parameters since query parameters appear in logs and other locations.