Step 5: Secure your API
Before you give developers access to your API you should secure it from unauthorized access. One way to do this is to attach a policy to set up API key validation. An API key is a string with authorization information. Developers need to embed this key in their apps to access your API’s resources. An API key is provisioned for an API product, and is generated when a registered app is associated with an API product. You'll register an app and associate it with your API product in a later step.
Note: You can automatically generate a policy for API key validation when you create an API proxy. To do that, check the Security checkbox in the Add Features section of the New API Proxy page. However, in this tutorial, we'll show you how to add the policy after you've initially created the API proxy.
Add policy for key validation
The Verify API Key policy verifies the API key for an API product defined in the API Platform, returns an error if it is invalid, and if it is valid, looks up the attributes from the API product.
To add a Verify API Key policy:
- In the API Proxy Editor, click New Policy, and select Verify API Key in the Security category.
- Accept the defaults in the New Policy dialog and click Add.
- Click the Project button, then select Save in the drop-down menu to save the the current revision.
The new policy is attached to the request message flow at the ProxyEndpoint.
Deploy the API
Finally, you can deploy the revision you've been working on.
On the top of the screen, click the Deployment button and select test. This will replace the existing API with your new secure API.
Help or comments?
- Something's not working: See Apigee Support.
- Something's wrong with the docs: Click Send Feedback in the lower right.
(Incorrect? Unclear? Broken link? Typo?)