Is it per API, API key ?

Not applicable

I am a new user to apigee and it seems that ,in apigee, security options are applied on API

proxy level. That is, once you create an api proxy for backend api ‘abc’ and decide to use api

key security type, you are given the api key which you have to share among the developers who

use your api. All applications that use the ‘abc’ api through that proxy will access it through that same

api key.

Am I correct ?

0 3 284
3 REPLIES 3

hi @msm, welcome to apigee community!

That is correct that, there're security policies which are applied to api proxy, but API keys are associated per developer application in apigee. You can read this article for more details - http://docs.apigee.com/developer-services/content/publishing-overview

Generally, developer requests to use your API product and request API keys, and based on your API governance/guidelines policies you approve (manually or automatically) api keys, set quota etc.

Coming to your question, It really depends, generally if all developer are working in a team and developing same client app, then normally it is shared. But I am sure people will have their own opinion about this.

thank you, that means the api developer can decide whether to use passthrough, oauth or api key authentication types for their api proxies, and depending on what he selected the app developers will recieve no key, api key app secret pair( as in http://docs.apigee.com/tutorials/secure-calls-your-api-through-oauth-20-client-credentials) or api key only(as in http://docs.apigee.com/tutorials/secure-calls-your-api-through-api-key-validation). Api keys are issued per application right ? And internally these keys are mapped with respective api products, is that so ?

Hi @msm, let's break down your questions,

api developer can decide whether to use passthrough, oauth or api key authentication types for their api proxies<br>

Yes

and depending on what he selected the app developers will recieve no key, api ke
y app secret pair

No it does not depend on the API. AFAIK the app developer on creation of App will be given a set of keys by default.

Api keys are issued per application right ? And internally these keys are mapped with respective api products, is that so?

Yes

Generally speaking an apikey is used to identify the Application calling the API.