As an API Platform owner (Apigee customer / API Provider), I want to create a strategy for API key / secret management and distribution so I can support the following types of App development use cases:
- Direct API consumer - Traditional App developer creates Apps as per the Apigee standard model (e.g. App developer registers, requests API products and receives keys).
- Indirect API consumer - App development partner (vendor) creates Apps on behalf of an API consumer (e.g. mom-n-pop shop) and either hosts the App or distributes via CD or download.
Use case 1 is the traditional Edge model, but use case 2 gets a bit more interesting. Here are some questions for consideration:
- Does the vendor create a single App with a single set of credentials and differential indirect consumers in some other way?
- Does the vendor create a single App, with multiple credentials, one for each in indirect consumer?
- Does the vendor create multiple Apps, one for each indirect consumer?
- If the App is hosted, does the indirect consumer enter their own App credentials?
- If the App is distributed, does the vendor distribute the keys to the indirect consumer to be configured upon installation?
- What are the implications for the Dev Portal and analytics?
Does Apigee have a recommended best practice?
What have others done?