Secure your APIs

In this section we secure the APIs we have just registered, using API Manager. To do that, we use API key, probably the most common protocol when exposing APIs to external developers, for the purpose of developing mobile apps for example.

Change the authentication of an API

Time to complete: 5 min approx. User role: API manager or Security manager. Difficulty: low. For the corresponding video, click here.

  1. Open API icon > FrontEnd API tab
  2. Click on the name of the API: Star Wars
  3. The Editing API page opens for Star Wars, on the Inbound tab
  4. In Inbound security, a number of choices are available:

  5. Select API key.
    Other possibilities include HTTP basic authentication and OAuth, either with the gateway acting as an identity provider, or with an external identity provider. Or you could use AWS authentication (using an authorization header or query string). Or again you can choose 2-way SSL, often used for B2B integration.
  6. Enter:
    • API key field name: leave the default value of KeyId
    • API key location: leave the default value of Request headers
    • Remove credentials on success (yes or no) : the advantage of this selection is that it avoids forwarding the API key to the back-end. 
  7. Click OK, then Save button

We have now authenticated the front-end API. It is also possible to authenticate the back-end API, against an Identity access management system for example. We won't be covering this option in the context of this tutorial: please contact us if you need further explanations. 

For more information...

  • Here in Axway, improving data security is an objective that takes precedence above all others. We have hardly scratched the surface in this page. For a more serious look at the subject, read Manage API Gateway security

Related Links