Defining a security definition with API keys
A security definition with API keys defines the credentials that an API client must provide to access an API or operation.
About this task
You can require that an API client provides only the client ID or both the client ID and the client secret. When your security definition requires both the client ID and the client secret, you must create one API key for the client ID and one API key for the client secret.
To configure an API key security definition, you must define the following properties.
- The location to find client credentials. An API call fails when the credentials are not in the
specified location. Regardless of the location, you must specify the same location for the client ID
and the client secret. The location choices are header or query.
- When header, client credentials are sent in the request headers. These headers are considered
sensitive. By default, these headers are not sent to the target server.Important: To include secure headers with the invoke assembly action, you must define a set variable action that adds the wanted sensitive headers to the
request.headers
context. For more information, see Adding a set variable assembly action. - When query, client credentials are sent as query parameters. You cannot send the client secret as a query parameter.
- When header, client credentials are sent in the request headers. These headers are considered
sensitive. By default, these headers are not sent to the target server.
- The type of client credential. The choices are ID and secret.
- When client, the key defines the client ID. The client ID type of security definition requires that a client must show the expected client ID to access the API or operation.
- When secret, the key defines the client secret. The client secret type of security definition requires that a client must show the expected client secret to access the API or operation.
- According to the credential type, the name of the request header, basic authentication header, query parameter, or form data.
Procedure
- In the search field, enter security key.
- From the search results, click API security API key.
- Click Add.
- Define the basic properties - Name, administrative state, and comments.
- Select the location of the client credentials.
- Select the type of the client credential.
- Enter the name of the API key.
- Click Apply to save changes to the running configuration.
- Click Save to save changes to the persisted configuration.
What to do next
To enforce the security scheme for an API or operation, add the security definition to a security requirement of an API or operation.