Authenticate your API

Edit online

About this task

Exposing APIs exposes application logic and sensitive data and can pose a security risk to an organization. Without authentication, APIs are vulnerable to unauthorized access, misuse, and abuse. Unauthenticated users or applications can potentially access sensitive data or resources, perform unauthorized actions, or overload the API with excessive requests. This is why API security becomes an important aspect. One of the ways you can secure your APIs is to implement authentication mechanisms that control their exposure through user credentials and encrypted access codes. The authentication mechanism works as a gatekeeper that grants access to only authentic users.

How do you select the right API authentication method?

There are different API authentication methods such as HTTP basic authentication, API key authentication, OAuth 2.0 authentication, JWT authentication.

Selecting the right authentication method for a particular API depends on the level of security that is required to validate the clients as against the ease of implementation. For example, the HTTP Basic authentication works well for restricting public access to low-risk data and resources, but still requires a minimum level of security controls. API key authentication works well in scenarios where API providers want to identify individual clients and regulate their permissions as required. API keys are suitable for simple API requests where you might not require a high level of security, whereas OAuth 2.0 or JWT authentication methods offer a greater level of security in the form of token revocation and refresh tokens.

API Gateway provides various authentication methods such as Basic Auth, API key, OAuth 2.0, OAuth with OpenID, JWT and so on. In this example, let's try to understand how to securely access APIs using the API key-based authentication. The API key authentication method uses system-generated strings that consist of a long series of letters or numbers to create unique pairs of identifying credentials and API access tokens. This code of numbers calls programs from a different application; the key then recognizes the code, its developer, the end-user, and the application where the API call is made from. When the client authenticates the API key, the server recognizes their identity and lets them access data with ease.

The figure depicts the API key-based authentication mechanism.!

authenticate API

Before you begin

Ensure that you have:

  • Manage APIs or Activate / Deactivate APIs functional privilege. If you are an Administrator you would have this privilege.
  • Postman installed in your system, or you can you use the web version of Postman.

Let's look at an example, where you secure a REST API, Petstore, with an API key and how do you use this API key to access the API.

To authenticate and access an API using API Key

Procedure

  1. Create a REST API Petstore.
    1. Click APIs in the title navigation bar.
    2. Click Create API.
    3. Select Import API from URL.
    4. Provide the following information:
      • URL: https://petstore.swagger.io/v2/swagger.json
      • Name: Petstore
      • Version: 1.0
      • Team: Administrator
      create API
    5. Click Create. The Petstore API is created and the Petstore API's details page appears.
    6. Click Activate to activate the API.
  2. Enforce the API with the Identify and Access policy to configure the identification type as API Key.
    1. Click Edit.
    2. Click Policies tab.
    3. Click Identify & Access in the policy catalog section.
    4. Click + for the policy Identify & Authorize to add the policy.
    5. Provide the following information in the policy properties section:
      • Condition type: OR
      • Identification type: API Key
      • Application lookup condition: Registered applications
      enforce IAM policy
    6. Click Save. The API is now enforced with the required policy
  3. Create an application petstore app and associate the Petstore API to the application.
    Adding the API to the application enables the application to access the API. An API developer while invoking the API at runtime, must provide the API key for API Gateway to identify the application.
    1. Click Applications in the title navigation bar.
    2. Click Create application.
    3. Provide the following information:
      • Name: petstore app
      • Version: 1.0
    4. Click Continue to Identifiers >
    5. Click Continue to APIs >
    6. Type the keyword pet in the search box to find the API Petstore and click + to add the API.
      create application
    7. Click Save. The application is now saved and the application details page appears
  4. Make a note of the API key to use to access the API.
    note api key
  5. Authenticate and access the petstore API using the API key
    In this example, we use the Postman application to invoke and access the API.
    1. Open Postman.
    2. In the Postman UI, select the http method as GET to retrieve the details of the pets by status.
    3. Invoke the endpoint, http://<host>:<port>/gateway/Petstore/1.0/pet/findByStatus
    4. In the Authorization tab, select the type as API Key and provide the following information:
      • Key: x-Gateway-APIKey
      • Value: The API key
      • Add to: Header
    5. Click Send.
      The REST API is invoked successfully and returns the status code as 200. The response contains the requested search data.
      autheticate api success

      In case the API key is invalid, you should see an error accessing the API as follows with the status code 401.

      autheticate api failure