Invoking an API using API keys — APIM 2.6.0 WSO2

An API key is a unique value used to authenticate API calls. WSO2 API Manager authenticates API calls with OAuth by default. You can opt to use an API specific key to validate the API calls, as an alternative to OAuth. API key validation security schemes are recommended in scenarios where security is less critical. Currently, this feature has implemented in APIM 3.0.0 [1] but that is not available in the older version of APIM. Since you can achieve this in an older version of APIM by following the below steps.

  1. You can publish an API with no credentials (without access token) by changing the x-auth-type of a particular resource in the API. For that, you need to set that “x-auth-type” to “None” of each resource in the API. You can follow this blog[2] which has mentioned how to publish an API to access in no credential mode with step by step.
  2. Therefore, first of all, you can select what are the APIs you need to access without the access token and republish them by following steps[2] here.
  3. Here you can see a sample sequence key_mapping.xml which checked the validity of your key and proceeds the invocation of the API. You need to upload this sequence to the in-flow by editing the API which you required to access the API without the credential and you need to republish the API to apply that change to the API.


<sequence name=”key_mapping” xmlns=”">

<log level=”custom” name=”test” message=”++++PassedHeader++++”>
<property name=”X-APIHEADER value” expression=”$trp:X-APIHEADER” />
<property name=”apiheader” expression=”$trp:X-APIHEADER” /><! — get the header which you passed through the request →
<property name=”apikey” action=”set” value=”nadee”/> <! — here you can define your seceret key →
<log level=”custom” name=”test11">
<property name=”apikeyval” expression=”get-property(‘apikey’)”/>
<property name=”propertyCompare” expression=”get-property(‘apiheader’) = get-property(‘apikey’)”/> <! — comapare the header vaue and key value →
<log level=”custom”>
<property name=”propertyCompare” expression=”get-property(‘propertyCompare’)”/>
<switch source=”get-property(‘propertyCompare’)”>

<case regex=”true”> <! — if header value equal to key, the api invocation will successful →
<log level=”custom”>
<property name=”filterA” value=”Matched”/>
<case regex=”false”> <! — if header value is not equal to key, the api invocation will fail and throw error code, here you can modify your code as you want →
<log level=”custom”>
<property name=”filterB” value=”Not Matched”/>
<property name=”HTTP_SC” value=”510" scope=”axis2"/>

<am:fault xmlns:am=””>
<am:type>Status report</am:type>
<am:message>Runtime Error: Invaid credentials</am:message>

<arg expression=”$ctx:ERROR_CODE”/>
<arg expression=”$ctx:ERROR_MESSAGE”/>

<default> <! — if header value is not passed, the api invocation will fail and throw error code →
<log level=”custom”>
<property name=”filterC” value=”Not Matched”/>

4. Then you can invoke the API by passing your key as a header in below way.

curl -k -X GET “https://<IP_Address>:8243/test/v1/" -H “accept: application/json” -H “X-APIHEADER: nadee”

If you can invoke the API successfully you can get the 200 OK, if failed you will receive the 510 code with “Runtime Error: Invalid credentials” error message.

The logic of this sample sequence is when passed the “X-APIHEADER” as your key value, the validity of that key value check against your actual Key value. Therefore you need to configure that actual key value in that sequence as a property(eg: here the actual key value is “nadee”). Then if the validity is passed, API can invoke successfully, otherwise (wrong key or without that key) API invocation will fail and throw that “Runtime Error: Invalid credentials” error. You can modify this sequence with your property name, key values and error code & message as you required.

According to this mechanism, we need to publish the API in no credential mode, therefore you cannot handle the throttling as we have an OAuth key for invoking the API.







Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nadee Poornima

Nadee Poornima

Senior Software Engineer at WSO2

More from Medium

Simplifying Third-Party Logistics (3PL) Integrations With EDI & API Integration

Simplifying Third-Party Logistics

SMB/CIFS, Docker-Compose and linux container on Windows

Change is Coming: API Authentication

A door to a highly restricted area.

How to fix “VBoxManage: error: Code E_ACCESSDENIED” or “Error checking TLS connection”