As your developers start working with your APIs, you might occasionally need to cut off or limit access. You may have an API that's malfunctioning, or a particular developer is having issues with their apps. In these cases, Apigee offers several ways to block access. The most common methods are revoking keys and refreshing end-user tokens.
A key is attached to every call an app makes. When you revoke a key, you block all the traffic from a specific app as all its calls are invalid.
A user token authorizes a specific user IP address. When you refresh user tokens, you reset that authorization for all users, forcing them to get a new token to make calls.
You can also limit access by controlling the traffic from apps. See Control traffic flow for more.
Controlling access using keys
Keys are automatically generated when you create an app. Each app is assigned a key and secret key. Together, these keys act like a username/password combo that authorizes an app to aceess to your resoruces. When an application makes a request, Apigee inspects it to verify that the API key matches the resource that the app is requesting, and checks the API product definitions associated with API key to see whether the resource is permitted. If everything lines up, Apigee sends back the requested resource data.
As the API provider, you can decide who gets a key and whether that key is enabled or disabled. When you disable a key, every application that contains that key no longer has access to the resources in the associated API product. Depending on how you set up your apps, a disabled key can cut off entire sets of functionality, or completely disable the app. For example, if you find a serious error in an API resource, you can disable the key for its app, preventing errors in your developers' applications.
Controlling access to products
A product cannot be accessed without a key. The key is associated with a product when it is included into an app. You can revoke the keys associated with a product. When you revoke keys for a product, you are only revoking access to that product, not invalidating the keys. The keys can still access other products.
To revoke a key for a product
- On the App summary page, select an app.
- On the App detail page, locate the product you want to disable in the Products Used table.
- Click Revoke in the Actions.
If the app is using a product with manual key approval, you'll see Key Request in this column. You will have the option to Approve or Delete the key request.
Refreshing access tokens
If an app has some type of security applied, such as OAuth 1.0, each call requires a valid access token. An end-user token controls a user's access to an app. When the user has access to the app, they have access to all the API products that app contains, which in turn gives them access to all the resources within those API products. End-user tokens are automatically generated when a user logs in to an app for the first time. The token stores the scope. As an API provider, you define a scope when you set up your OAuth policy.
Refreshing tokens makes all current tokens invalid, forcing users to sign up again. In most cases, you refresh end-user tokens in bulk to respond to security issues, such as a security breach or a change in your terms of use. In rare cases, you might need to refresh single tokens if a specific user has a security issue.
To refresh end-user tokens for an app
On the All App summary page, roll over the End User Token column for the app and select Refresh all tokens in the pop-up.
