Retrieve the credentials from the KVM and then use javacript to add the username and password in the request body as below"

var requestBody = JSON.parse(context.getVariable("request.content"));
var username = context.getVariable("username");
var password = context.getVariable("password");

requestBody.username = username;

requestBody.password = password;

@Vaibhav Pandey Let me give you a word of caution though. If you use KVM to store the credentials, it can be retrieved in a keyvaluemap policy alright, but at the same time it would also be accessible using the keyvaluemap management API where your credentials would be visible as plaintext. We introduced the concept of vault to work around this problem. But the drawback with vault is that its only accessibe from a node.js script target running in apigee. So if you are really looking for a secure solution, I would suggest using vault to store the credentials and vault ensures that the data is obscured when you make the GET calls on the vault entries. You can use node.js script to retrieve the credentials, and set them as flow variables or you can make the call to target itself in the node.js script unless you specifically want to avoid node.js.

We have a feature in the pipeline to do encrypted KVM which is going to cater to these sorts of usecases but its still in the design phase and there isn't an ETA on the feature's GA release yet.

@Vaibhav Pandey,

You can implement one more solution.

1) Encrypt the password and store in KVM.

2) Retrieve the password

3) Decrypt the password using the JAVA callout policy(You need to create a code for decrypting the password)

4) Apigee provide CONFIG mask so that while trace is open , the password is mask.

This is similar to Authorization header whose value is always masked while trace is on.

So you can use Config mask for password.

The only issue with this solution is that someone who has the ORGADMIN ROLE or GLOBAL Admin role(SYS ADMIN) has access to KVM.

I hope its clear. Please let me know in case you need more details.

A great way to solve the user authentication problem is to use Edge BaaS - the Backend-as-a-service - which allows you to register users and their passwords. Your API would then require that the user send in their username and password with the request.

You can then callout to BaaS to authenticate a username and password sent in with an API request. The policy that performs authentication might look like this:

<ServiceCallout name='SC-1'>
  <DisplayName>SC-1</DisplayName>
  <Request variable='authenticationRequest'>
    <Set>
      <!-- Shows how to request a token from usergrid. -->
      <Payload contentType='application/json'
               variablePrefix='%' variableSuffix='#'><![CDATA[
  { "grant_type":"password", "username":"%authn.uid#", "password":"%authn.pwd#" }
]]></Payload>
      <Verb>POST</Verb>
      <Path>/BAAS_ORGNAME/BAAS_APP/token</Path>
    </Set>
  </Request>
  <Response>tokenResponse</Response>
  <HTTPTargetConnection>
    <Properties>
      <Property name='success.codes'>2xx, 4xx</Property>
    </Properties>
    <URL>https://api.usergrid.com/</URL>
  </HTTPTargetConnection>
</ServiceCallout>

And then, upon success you can extract the token returned from BaaS, like this:

<ExtractVariables name="EV-BaasToken">
  <Source clearPayload="false">tokenResponse</Source>
  <JSONPayload>
    <Variable name="baastoken" type="string">
      <JSONPath>$.access_token</JSONPath>
    </Variable>
  </JSONPayload>
</ExtractVariables>

..and if that is non-null, then the username+password is authenticated, and you can let the request pass.

This may be different than what it seems you described. It seems like you want the username and password to be ADDED into the payload by Apigee Edge. And that seems like a design error. Instead you should require that the request send in the username and password, in the request.

If you choose to use BaaS to authenticate users, there is an administrative UI for BaaS that allows you to add users and set their passwords initially. Or you can do so programmatically. Lots of options in BaaS for managing users. Check the doc here (scroll down to "User Management") .

Hello all, I wanted to add an important note: encrypted KVMs are here. Details are in our documentation: http://docs.apigee.com/api-services/reference/key-value-map-operations-policy . You now have an option for encrypted data without having to use Node.js.