Solved: How can I identify the developer/application on my...

Report Inappropriate Content · 10-10-2014 06:54 AM

My API has an existing API key system to identify the application sending the request. My backend needs to know this for many reasons as it supports multiple applications accessing the same API.

I'd like to replace that system with authentication coming from Apigee (I'm imagining it wouldn't make sense to have both the Apigee API key and my own API key in the request - right?), however, all the docs seem to say that Apigee "usually" strips out the API key when the request is forwarded to my backend.

I'm trying to figure out how my backend knows what developer and what application the request is coming from?

I can't quite find a clear explanation in the docs of how this is usually handled rather than trying to hack something together myself.. or even worse if I have to have my own application & API key management system on top of Apigee?

Thanks!

Report Inappropriate Content

@locatrix, yes - there is a simple way to identify the developer and app from the apikey.

You need to use two policies

1. VerifyApiKey policy. This policy would load a number of variables in the message context. You can then access the developer properties like below:

verifyapikey.{policy_name}.developer.app.name  --> Name of the app 
verifyapikey.{policy_name}.developer.id   --> id of the developer
verifyapikey.{policy_name}.client_id  --> API Key of the app

The entire list is available [here] (http://apigee.com/docs/api-services/reference/verify-api-key-policy#variables)

2. Then you can use an AssignMessage policy to use these flow variables to populate the header , queryparams as needed.

You need to make sure your target connection property does not strip of the headers/queryparams that you need to send to the backend.

View solution in original post

Report Inappropriate Content

The apikey query parameter is removed via an Assign Message policy in the proxy after VerifyAPIKey policy. If you don't have an Assign Message policy that strips off the query parameter, it will be passed to the backend along with the other query parameters. Thus, you could use the apikey query parameter to identify the app making the request.

Report Inappropriate Content

Thanks, Michael, so in fact that's exactly what I've just done in my test environment, but I was wondering if that's the standard practice?

I was just surprised that the API key is stripped as the apparent standard practice, so I feel like I must be missing something?

I was thinking this must be something most developers would want to be able to do since Apigee exists to provide the developer portal, app management, api key management, etc, you'd want to be able to identify which app/developer is sending the request on the backend, right?

Report Inappropriate Content

Many developers use the API key as the "gatekeeper" to the API and if you have a valid one, it is enough to use the service. So, for many, once the VerifyAPIKey step has passed, there is no need for the key any more. Also, the apikey parameter is something that Apigee adds on and is not normally a parameter that the backend service knows how to handle.

Report Inappropriate Content

Thanks, Michael, that does make sense then.

Just the last part of my question there - is there some way of identifying the Apigee Developer and Developer Apps from the API key to fully accomplish my goal?

Report Inappropriate Content

This is a less standard way to use the product, so I'm going to ask some people how to do do this, if it can be done. I'll have someone post something or get back myself.

Report Inappropriate Content

Thanks a lot Michael, with the additional help from Santanu I'm all set now.

Report Inappropriate Content