Skip to main content

API Key Authentication

Authenticate requests with Zuplo's fully managed API Key service. This policy is the easiest way to secure your API and can be combined with other policies like Rate limiting, quotas, and more to build a fully featured API to support your partners, developers, or customers.

For more information on Zuplo's API Key Management service and options enabling self-serve API Key management see the following resources:

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

config/policies.json
{
  "name": "my-api-key-inbound-policy",
  "policyType": "api-key-inbound",
  "handler": {
    "export": "ApiKeyInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "allowUnauthenticatedRequests": false
    }
  }
}
  • name the name of your policy instance. This is used as a reference in your routes.
  • policyType the identifier of the policy. This is used by the Zuplo UI. Value should be api-key-inbound.
  • handler/export The name of the exported type. Value should be ApiKeyInboundPolicy.
  • handler/module the module containing the policy. Value should be $import(@zuplo/runtime).
  • handler/options The options for this policy:
    • authHeader

      The name of the header with the key. Defaults to Authorization

    • authScheme

      The scheme used on the header. Defaults to Bearer

    • bucketName

      Optional - The name of the API Key service bucket. Defaults to the autogenerated bucket name for your project. You can contact support@zuplo.com to create a new bucket.

    • allowUnauthenticatedRequests

      If requests should proceed even if the policy does not successfully authenticate the request. Defaults to false and rejects any request without a valid API key (returning a 401 - Unauthorized response). Set to true to support multiple authentication methods or support both authenticated and anonymous requests.

    • cacheTtlSeconds

      The time to cache authentication results for a particular key. Higher values will decrease latency. Cached results will be valid until the cache expires even in the event the key is deleted, etc..

    • disableAutomaticallyAddingKeyHeaderToOpenApi

      Zuplo will automatically document your API key header within your OpenAPI specification & Developer Portal. Set this to true to disable this behavior.

Using the Policy

Adding API Key authentication to your Zuplo API takes only a few minutes. This document shows you how to add the policy to your routes, create an API key, and make a request using the API Key.

Add the API Key Policy

The first step to setting up API Key authentication is to add the API Authentication policy to a route in your project.

  1. In the Zuplo Portal open the Route Designer in the Files tab then click routes.oas.json.

  2. Select or create a route that you want to authenticate with API Keys. Expand the Policies section and click Add Policy. Search for and select the Auth0 JWT Auth policy.

  3. With the policy selected, you will see the configuration and information about the options. For this tutorial just leave the options as they are and click OK to save the policy.

Create an API Key

In order to make a request to the route, you'll need an API Key.

  1. In the Zuplo Portal open the API Key Consumers section in the Settings tab.

  2. Click the button Add New Consumer.

  3. In the form that appears, enter a value for the Subject such as my-test. You can leave the other fields empty. Click OK to create the consumer.

  1. Now you can see the newly created consumer and its default API key. Select the Copy button to copy the API Key. You will use this value in the next section.

Test the Policy

Finally, you'll make two API requests to your route to test that authentication is working as expected.

  1. In the route designer on the route you added the policy, click the Test button. In the dialog that opens, click Test to make a request.

  2. The API Gateway should respond with a 401 Unauthorized response.

  1. Now to make an authenticated request, add a header to the request called Authorization. Set the value of the header to Bearer YOUR_API_KEY replacing YOUR_API_KEY with the value of the API Key you copied in the previous section.
  1. Click the Test button and a 200 OK response should be returned.

You have now setup API Key Authentication on your API Gateway.

See this document for more information about API Keys and API Key Management with Zuplo.

Writing Tests with the Auth Policy

For information on running tests while using API Key Authentication see the document Testing API Key Authentication.

Read more about how policies work