Key Validation Policies in Oracle API Cloud Service (CS)
Use a key validation policy when we want to reject requests from unregistered (anonymous) applications.
Keys are distributed to clients when they register to use an API on the Developer Portal. At run-time, if they key is not present in the given header or query parameter, or if the application is not registered, the request is rejected; the client receives a 400 Bad Request error if no key validation header or query parameter is passed or a 403 Forbidden error if an invalid key is passed.
This policy can be added only to the request flow.
Let’s get in to the implementation on how to apply Key Validation policy.
Assume we already have API configured in API CS. If not, follow the blog Create API in Oracle API CS.
To configure a key validation policy please follow below steps:
- Click on the TestAPI which we created in previous blog Create API in Oracle API CS
- Click on API Implementation tab
- In the Available Policies region, expand Security, hover over Key Validation, and then click Apply
- Your Policy Name (Optional): Enter a name for the policy
- Comments (Optional): Describe why we are applying the policy for this API
- Place after the following policy: Select the policy after which this policy is placed in the request flow
- From the Key Delivery Approach region, select either Query Parameter or Header depending on the choice. If Query Parameter is selected then, key will be passed in the query parameter in API request or if Header is selected then key need to pass in header. The request is rejected if the parameter/header is not present, if the key is not present, or if the key is invalid. Enter Parameter / header name and Click Apply button
- Click Save button and redeploy the API from Deployments tab
- Hit the API and include appkey query parameter
- Hit the API without appkey query parameter
