API Key Authenticator

  In this article

Overview

Use the API Key Authenticator policy to authenticate a client by using API keys passed as a header or query parameter. 

Authentication Policy Requirement

All Authentication policies require the Authorize By Role policy to authenticate the API caller correctly. For example, you can configure this policy to add the role “admin” to the client and then configure the Authorize By Role policy to authorize users with that role.

Policy Execution Order

The API Key Authenticator Policy executes after early stage request validation policies, like IP Restriction.

Expression Enabled Fields in API Policies

All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Settings

Parameter NameDescriptionDefault ValueExample
LabelRequired. The name for the API policy.API Key AuthenticatorProject API Key

When this policy should be applied

An expression enabled field that determines the condition to be fulfilled for the API policy to execute.

For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.

N/Arequest.method == “POST”
API Keys

Required. The API keys that a user can use for authenticating a client. Click + to add multiple API keys. 

Description, API key, and role must be unique. 

You can also reference a secret from a 3rd-party Secrets Manager vendor by entering an expression.

N/AN/A
Description

Required. A description of the owner of the key.

N/Abob@example.com

API Key

Required. The API key itself. This should be a long, randomly generated string.

N/A72D11F27-5719-4BE7-95BA-AF20DEBAF42D
Roles

Required. The list of roles to assign clients that use this key.

N/A

admin

Expiration MM-dd-yyyy

The API key's expiration date.

Format: MM-dd-yyyy

N/A02-28-2022

Key Location

Required. Specifies the location to find the key. If one of the given locations is not found, this API policy passes the request through to the next API policy.

N/AN/A

Custom Header Keys

The names of the headers that can contain the key. If more than one header is given, they are all checked. Click + to add header keys.

N/AN/A
KeyThe name of the header containing the key.N/AX-API-Key
Custom Query String Parameter Keys

The names of the query parameters that can contain the key. If more than one name is given, then all names are checked. Click + to add header keys.

N/AN/A
KeyThe name of the query string parameter key. N/Atoken

Authorization Header Type

If the key is in the Authorization header, this value is used as the “type” to check.

tokentoken
Status

Specifies whether the API policy is enabled or disabled. 

EnabledDisabled

Best Practices

Avoid passing sensitive information in query parameters since query parameters appear in logs and other locations.