Skip to main content

API Key Authentication Policy

This policy uses the managed API key storage provided by Zuplo. allowUnauthenticatedRequests defaults to false and rejects any request without a valid API key (returning a 401 - Unauthorized response). You can override (set "allowUnauthenticatedRequests" : true) this to support multiple authentication methods or support both authenticated and anonymous requests.

Configuration

{
"name": "my-api-key-inbound-policy",
"policyType": "api-key-inbound",
"handler": {
"export": "ApiKeyInboundPolicy",
"module": "$import(@zuplo/runtime)",
"options": {
"allowUnauthenticatedRequests": false
}
}
}
  • name the name of your policy instance. This is used as a reference in your routes.
  • policyType the identifier of the policy. This is used by the Zuplo UI. Value should be api-key-inbound.
  • handler/export The name of the exported type. Value should be ApiKeyInboundPolicy.
  • handler/module the module containing the policy. Value should be $import(@zuplo/runtime).
  • handler/options The options for this policy:
    • authHeader

      The name of the header with the key. Defaults to Authorization

    • authScheme

      The scheme used on the header. Defaults to Bearer

    • bucketName

      Optional - The name of the API Key service bucket. Defaults to the autogenerated bucket name for your project. You can contact support@zuplo.com to create a new bucket.

    • allowUnauthenticatedRequests

      If requests should proceed even if the policy does not successfully authenticate the request. Defaults to false and rejects any request without a valid API key (returning a 401 - Unauthorized response). Set to true to support multiple authentication methods or support both authenticated and anonymous requests.

    • cacheTtlSeconds

      The time to cache authentication results for a particular key. Higher values will decrease latency. Cached results will be valid until the cache expires even in the event the key is deleted, etc..

    • disableAutomaticallyAddingKeyHeaderToOpenApi

      Zuplo will automatically document your API key header within your OpenAPI specification & Developer Portal. Set this to true to disable this behavior.

Read more about how policies work