CODEWITHSUNDEEP
api-keyapigee
user1801279
user1801279

Reputation: 1793

apigee: where do I correlate the keys with this policy

So I read this in the apigee documentation to understand how I can enforce an API validation policy . I am still confused on where this is correlating the keys with .

1) lets say I have an api key called key1 for a client . the 

<VerifyAPIKey name="APIKeyValidation">
  <APIKey>request.queryparameter.apikey</APIKey>
</VerifyAPIKey>

strips the api key from the request . Now my question here is how I should be correlating this key with key1 . any pointers / help with this is greatly appreciated .

Upvotes: 0

Views: 597

Answers (2)

StringifySteve
StringifySteve

Reputation: 98

Key validation in Apigee Edge is an integrated part of the platform, in the prior generation the key validation was done through an API.

The way it works follows this general flow

  1. Key is Generated ( this can be done through a development portal or directly through the Enterprise UI)
  2. Key is passed to API with a VerifyAPIKey policy

  3. The VerifyAPIKey policy is configured to consume the key from part of the request, this can be a form param, header or query param.

    <VerifyAPIKey name="APIKeyValidation"> <APIKey>request.queryparameter.apikey</APIKey> </VerifyAPIKey>

  4. The Policy Validates that the API key referenced is valid, if it is valid the policy will fill several variables that are useful for further processing.
  5. If the key is invalid the policy will return an appropriate error.
  6. If some of the data that is returned from the policy does not match some of your workflow assumptions you can use the raisefault policy with a condition matching your assumption

Here are some documentation pages that talk about these policies and how they work http://apigee.com/docs/api-services/content/enforce-access-control-using-verifyapikey http://apigee.com/docs/api-services/content/exception-handling-raisefault

Upvotes: 0

ap-andrew
ap-andrew

Reputation: 131

You don't need to explicitly 'correlate' the API key. The policy actually validates the key for you. (In fact, sometimes you'll want to strip the API key using another policy--AssignMessage--after the key has been validated.)

The variable in the policy, 'request.queryparameter.apikey', just tells the API proxy where to look for the API key in the request message. Once it has located the key, it does the validation, and throws an exception if the key is not valid.

You can check out this sample for more:

https://github.com/apigee/api-platform-samples/tree/master/sample-proxies/apikey

Hope that helps.

Upvotes: 1

Related Questions