Step 2 - API Key Authentication
In this guide we'll add API Key authentication to a route. You can do this for any Zuplo project but will need a route, consider completing step 1 first.
API Key authentication is one of our most popular policies as implementing this authentication method is considered one of the easiest to use by developers but hard for API developers to get right. We also support JWT tokens and other authentication methods.
1/ Add the API Key authentication policy
Navigate to your route in the Route Designer and open the Policies section.
Add the API key authentication policy and click OK to accept the default policy JSON. Note,
The API key auth policy should usually be one of the first policies in your request pipeline, drag it to the top if you have multiple policies.
If you test your route, you should get a 401 Unauthorized response
2/ Set up an API key consumer
In order to call your API, you need to configure an API consumer. Go to Settings > API Consumers. Click Add New Consumer
Create a name for your identity - this will be the subject (or sub) that identifies the user when calling Zuplo. Add your own e-mail address to the Key managers field and add some JSON metadata - this is freeform (but must be valid JSON). This metadata will be made available to the runtime when a key is used to authenticate.
3/ Go the the Developer Portal to get your key
Find the URL for your Developer Portal - this is available on the Getting Started page in the Files tab.
Navigate to your developer portal - you'll see a Sign In button. Click it and sign in, using the same e-mail you specified as the Key manager.
You should now see a key, ready to be minted, in the Authentication section of your Developer Portal.
Create a key for this consumer identity and copy the key to the clipboard.
4/ Test out your new key
Since we need to send the key in a header, it's hard to use the browser for this test. We'll use our built in test client in Zuplo but you could also use Postman for this part.
Go to the API Test Console and create a new Manual Test. Set the path to
/todos and hit Test.
You should get a 401 Unauthorized response. Add an new
authorization header with the value
Bearer YOUR_API_KEY and insert the API Key you got from the developer portal.
You should now get a 200 OK.
We also offer an API for our API key service that allows you to programmatically create consumers and even create your own developer portal or integrate key management into your existing dashboard. Contact us at
[email protected] for access.
NEXT Try step 3 - add Rate Limiting to your API.