API proxy execution - Ideal sequence of policies for request processing?

Prashant819
Participant II

Hi Community,

Could you please share your ideas on what would be the ideal order of steps and/or their corresponding policies in an API proxy execution to perform the below logic?

1. Traffic management (SpikeArrest + Quota)

2. Threat Protection (JSON/XML + Regex)

3. API key verification

4. IP Access control

5. OAuth2 token verification

6. Required header/data validation

7. Maintenance check of backends

Thank you.

0 2 321
2 REPLIES 2

Not applicable

There is no hard rule for this.

I can share the sequence I follow for different companies.

4, 2, 1, 3/5, 6, 7

I have given 3/5 because we normally use one of the two.

If you are using oauth 2.0 then you need not to use api key verification. If you need to use that, then oauth is the primary security.

Api key verification is a simple security for internal trusted use. Oauth 2.0 is the new standard.

4 - IP Access Control

3/5 - API Key or OAuth

1 - Spike Arrest / Quota if you want to limit by App, Developer, Product after valid key/token

2, 6, 7