Is it possible to use different API Key for the API calls made by different applications in a single API Proxy ?

We have two developer Apps one each for App and Web API calls namely "App" and "Web App" for the same API proxy.

How do we make sure that Web based API calls uses the API key of developer App of Web and not the App API key of App Developer App and vice versa ?

Please advice how to accomplish this requirement.

0 2 172
2 REPLIES 2

As we know the VerifyAPIKey policy doesn't validate whether the consumer key is coming from a specific developer app or not. It just validates that the consumer key is part of the developer app associated with specific API Product that is associated with a specific API Proxy.

So to achieve the requirement we can try using the following steps:

  1. Determine whether the API call is made through an App or Web using one of the following ways:
    • Utilize the information that is passed via the headers like User-Agent or App-Version.
    • Alternatively, we can pass any other headers let's say -H "Type: Web" or -H "Type: App" to indicate that it is a Web based API call or App based API call.
  2. Within the API Proxy, use the VerifyAPIKey policy to validate the Consumer Key (APIKey) passed to the API Proxy is valid or not.
  3. Once the VerifyAPIKey policy completes the execution, it populates several useful flow variables. One of them is verifyapikey.VerifyAPIKey.developer.app.name that gives the Developer App Name.
  4. You can then have a JavaScript policy to proceed further only if the information available in the header (step #1) and developer app name are both indicating it is Web or App, otherwise return error.
    • That is, if the header indicates that it is a web based call, then the developer app should point to Web Developer App. Likewise, if the header indicates that it is a app based call then the developer app should point to App Developer App.
    • Your JavaScript code may look something like this :
      var uastr = context.getVariable("request.header.User-Agent");
      var developerAppName = context.getVariable("verifyapikey.VerifyAPIKey.developer.app.name");
      
      if (uastr == "Web" &&  developerAppName == "WebApp") {
         print("success"); 
         return; 
      }
      
      if (uastr == "App" && developerAppName == "App") { 
          print("success"); 
          return; 
      }
       
      throw error; // Add appropriate error response with an HTTP response code here<br>

I think a better approach would be to make use of the API products. Please refer the docs for more info, particularly the section that talks about configuring the resource paths.