Serverless — API Keys

Dorian Machado
Sep 19, 2019 · 3 min read

Sometimes you need that the access to your API will be private 🔐 maybe all your API or maybe some particular EndPoints.

Photo by Florian Klauer on Unsplash

A good feature to reach this approach with AWS Api Gateway + Serverless Framework is called “Api Keys”.

But, what is an “Api Key”, in few words is:

Is a unique string/password/secret of alphanumeric characters that is transmitted as part (as header) of the API request/call to authenticate the source of the API request

Remember that all the source code we use in this article will be available in github.

OK folks, let’s get down to code 💻


First of all let’s create our serverless project and

sls create --template aws-nodejs --path test-api-key
cd test-api-key

Then clean up the “serverless.yml” file until it looks like the following

service: test-api-keyprovider:
name: aws
runtime: nodejs10.x
functions:
hello:
handler: handler.hello

Now we will add some NodeJS code to our “handler.js”

'use strict';module.exports.hello = async event => {
return {
statusCode: 200,
body: JSON.stringify(
{
message: 'Hello World, Hola Mundo',
input: event,
},
null,
2
),
};
};

Time to deploy 🚀

sls deploy

Let’s test the endpoint using cURL ⚡️

curl https://fi9q27ak3f.execute-api.us-east-1.amazonaws.com/dev/hello

Perfect 🎉 our API it’s responding OK, now we will create another EndPoint and test it

Create a new JS file called “private.js” with some code like this one:

'use strict';module.exports.message = async event => {
return {
statusCode: 200,
body: JSON.stringify(
{
message: 'Private EndPoint'
},
null,
2
),
};
};

Now deploy it 🚀

sls deploy

And test it ⚡️

curl https://fi9q27ak3f.execute-api.us-east-1.amazonaws.com/dev/message

Perfect 🎉, at the moment nothing fancy, but now let’s secure 🔐 our EndPoint

In the “serveless.yml” file we will add the following magic lines

service: test-api-keyprovider:
name: aws
runtime: nodejs10.x
apiKeys:
- medium-tutorial-apikey"
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get
message:
handler: private.message
events:
- http:
path: message
method: get
private: true

Where in the “provider:” section we are specifying the name of our API Key and then with the declaration of “private: true” inside the configuration of the function “message” we are telling to the framework that this EndPoint will we private.

Now let’s deploy 🚀 and see some cool stuff in the output

sls deploy

Look in the red square now we have our API Key to access our private 🔐 EndPoint.

Test again the secured EndPoint without using the token

curl https://fi9q27ak3f.execute-api.us-east-1.amazonaws.com/dev/message

OMG 😱 the EndPoint now is secured.

It’s time to test our API Key 🔑 to access our private EndPoint. We have to pass the secret like a Header

curl -H 'x-api-key: cvInWlxJNz6aUwDwpIHkw4Aq8ra2qzst5Gb1x5ac' https://fi9q27ak3f.execute-api.us-east-1.amazonaws.com/dev/message

Amazing, we did it 🎉

Conclusion

Dorian Machado

Written by

Serveless Evangelist / Entrepreneur

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade