Skip to main content

Step 2 - API Key Authentication

In this guide we'll add API Key authentication to a route. You can do this for any Zuplo project but will need a route, consider completing step 1 first.

API Key authentication is one of our most popular policies as implementing this authentication method is considered one of the easiest to use by developers but hard for API developers to get right. We also support JWT tokens and other authentication methods.

1/ Add the API Key authentication policy

Navigate to your route in the Route Designer and open the Policies section.

Add policy

Add the API key authentication policy and click OK to accept the default policy JSON. Note,

Add API Key Authentication.

The API key auth policy should usually be one of the first policies in

your request pipeline, drag it to the top if you have multiple policies.

If you test your route, you should get a 401 Unauthorized response

"status": 401,
"title": "Unauthorized",
"type": "",

2/ Set up an API key consumer

In order to call your API, you need to configure an API consumer. Go to Settings > API Consumers. Click Add New Consumer

API Key Consumers

Create a name for your identity - this will be the subject (or sub) that identifies the user when calling Zuplo. Add your own e-mail address to the Key managers field and add some JSON metadata - this is freeform (but must be valid JSON). This metadata will be made available to the runtime when a key is used to authenticate.

New Consumer

3/ Go the the Developer Portal to get your key

Find the URL for your Developer Portal - this is available on the Getting Started page in the Files tab.

Developer Portal link

Navigate to your developer portal - you'll see a Sign In button. Click it and sign in, using the same e-mail you specified as the Key manager.

Dev Portal

You should now see a key, ready to be minted, in the Authentication section of your Developer Portal.

Authentication section

Create a key for this consumer identity and copy the key to the clipboard.

4/ Test out your new key

Since we need to send the key in a header, it's hard to use the browser for this test. We'll use our built in test client in Zuplo but you could also use Postman for this part.

Go to the API Test Console and create a new Manual Test. Set the path to /todos and hit Test.

Test Console

You should get a 401 Unauthorized response. Add an new authorization header with the value Bearer YOUR_API_KEY and insert the API Key you got from the developer portal.

You should now get a 200 OK.

200 OK

We also offer an API for our API key service that allows you to

programmatically create consumers and even create your own developer portal or integrate key management into your existing dashboard. Contact us at for access. :::

NEXT Try step 3 - add Rate Limiting to your API.