Step 3 - API Key Authentication
Choose your Development Approach
Select how you'd like to build your gateway. You can switch between approaches at any time.
Local Development
Develop and test your gateway locally using the Zuplo CLI. Full control over your environment.
In this guide we'll add API Key authentication to a route. You can do this for any Zuplo project but will need a route, consider completing Step 1 first.
API Key authentication is one of our most popular policies as implementing this authentication method is considered one of the easiest to use by developers but hard for API developers to get right. We also support JWT tokens and most other authentication methods.
What's a Policy?
Policies are modules that can intercept and transform an incoming request or outgoing response. Zuplo offers a wide range of policies built-in (including api key authentication) to save you time. You can check out the full list.
Let's get started.
-
Link your Local Project
When developing locally with Zuplo, you can "link" your local project to your Zuplo project using the
zuplo linkcommand. This allows you to test your changes in a real environment.When you run the command you will be prompted to select your Zuplo account, project, and environment. You can pick any environment.
CodeAfter your project is linked, environment variables and other configuration from your Zuplo project will be available in your local development environment.
-
Start your Project
You can start your project using the following command:
CodeAfter your project is started, you can open the local route designer at http://localhost:9100.
-
Add the API Key Authentication Policy
Open the local Route Designer by navigating to http://localhost:9100/. Select your route and click Add Policy on the incoming Requeset policies section.
Search for the API key authentication policy, click on it, and then click OK to accept the default policy JSON.
The API key authentication policy should usually be one of the first policies executed. If you came here from Step 2 then you will want to drag it above the rate limiting policy.
If you test your route, you should get a 401 Unauthorized response
Code -
Set up an API Key
In order to call your API, you need to configure an API consumer. Go to the Zuplo Portal, then open the project you are working on, Services, then click Configure on the "API Key Service".
Be sure to select the appropriate environment in the dropdown on the top right of the services page. You must select the environment type you linked your local project to. If you only have a single environment, you should select "Production". Later we will create new environments for preview.
Then click Create Consumer.
Let's break down the configuration needed.
- Subject: Also known as
sub. This is a unique identifier of the API consumer. This is commonly the name of the user or organization consuming your API - Key managers: The email addresses of those who will be managing this API key.
- Metadata: JSON metadata that will be made available to the runtime when a key is used to authenticate. Common properties include the consumer's subscription plan, organization, etc.
Go ahead and fill in
test-consumerfor the Subject. Add your own email as a Key manager, and leave the metadata empty for now. Click Save consumer once you're done. - Subject: Also known as
-
Copy your API Key
After your API Key consumer is created, copy your new API Key by clicking the copy button (next to the eye icon).
-
Test out your API Key
Using any HTTP client (like Postman or curl), make a request to your API.
CodeYou should get a 401 Unauthorized response - as we'ven't supplied the API key yet. Add an new
authorizationheader with the valueBearer <YOUR_API_KEY>and insert the API Key you got from the developer portal.You should now get a 200 OK.
CodeWe also offer an API for our API key service that allows you to programmatically create consumers and even create your own developer portal or integrate key management into your existing dashboard. See this document for details.
