API Key Authentication

Authenticate requests with Zuplo's fully managed API Key service. This policy is the easiest way to secure your API and can be combined with other policies like Rate limiting, quotas, and more to build a fully featured API to support your partners, developers, or customers.

For more information on Zuplo's API Key Management service and options enabling self-serve API Key management see the following resources:

Configuration#

{
  "name": "my-api-key-inbound-policy",
  "policyType": "api-key-inbound",
  "handler": {
    "export": "ApiKeyInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "allowUnauthenticatedRequests": false
    }
  }
}

Options#

  • name the name of your policy instance. This is used as a reference in your routes.
  • policyType the identifier of the policy. This is used by the Zuplo UI. Value should be api-key-inbound.
  • handler/export The name of the exported type. Value should be ApiKeyInboundPolicy.
  • handler/module the module containing the policy. Value should be $import(@zuplo/runtime).
  • handler/options The options for this policy:
    • authHeader

      The name of the header with the key. Defaults to Authorization

    • authScheme

      The scheme used on the header. Defaults to Bearer

    • bucketName

      Optional - The name of the API Key service bucket. Defaults to the autogenerated bucket name for your project. You can contact support@zuplo.com to create a new bucket.

    • allowUnauthenticatedRequests

      If requests should proceed even if the policy does not successfully authenticate the request. Defaults to false and rejects any request without a valid API key (returning a 401 - Unauthorized response). Set to true to support multiple authentication methods or support both authenticated and anonymous requests.

    • cacheTtlSeconds

      The time to cache authentication results for a particular key. Higher values will decrease latency. Cached results will be valid until the cache expires even in the event the key is deleted, etc..

    • disableAutomaticallyAddingKeyHeaderToOpenApi

      Zuplo will automatically document your API key header within your OpenAPI specification & Developer Portal. Set this to true to disable this behavior.

Was this article helpful?

Do you have any questions?Contact us
Check out ourproduct changelog