With the API Key Authentication Policy configured on your API route(s) you can build additional policies that run after the API Key Authentication policy to perform additional checks or authorization on the consumer.
Request User Object#
After each successful authentication the policy will set the
object. The name of the API Key consumer is set to the
metadata attached to the consumer is set to the
request.user.data property. The interface of
request.user is shown below.
So if you created a consumer with the following configuration:
The request object would be the following:
One question you might have is why is the
request.user object not the same
shape as the API Key Consumer object. i.e. why doesn't it has
The reason is because the
request.user object is reused by many different
kinds of authentication policies and they all conform to the same interface with
Using Consumer Data in Code#
It is possible to write additional policies that run after the API Key Authentication policy that perform further gating or authorization of the request based on the data set in the consumer.
For example, you could gate access to a feature by checking for the
stored in metadata (exposed via
metadata could also be used to route requests to dedicated customer
If you had a simple function handler as
follows, it would return a
request.user object to your route if the API Key is
Would send the following response.