Skip to Content

Protect your API Proxy by adding an Application Key Verification


Protect your API Proxy by adding an Application Key Verification

By Meredith Hassett

In this tutorial you will learn how to protect your API Proxy with a first simple policy - the "Verify API Key" Policy.


You will learn

SAP Cloud Platform, API Management offers several out of the box policies which help you protect, model and “work” with your APIs. One of the security related Policies is the “Verify API Key” Policy.

In this tutorial you will learn how to protect your API Proxy with the “Verify API Key” Policy. This policy allows you to add a simple protection via a so called API Key. Only calls which send a valid API Key along with the main request will be allowed to call the API Proxy.

Step 1: Learn about the API call flow

It is important to understanding the API policy flow so you gain an understanding of why a policy is applied at a certain time in the flow. For instance, access policies should be verified before the API call to reduce using resources unnecessarily. The entire request/response cycle is divided up, first into segments, then within each segment, into processing stages.

Where do you check the fundamentals requirements of an Incoming Request?
Step 2: Learn about the Policy Editor

When creating a policy, you will need to know how the information is available in the policy and policy editor. Understand how the Policy Designer accesses the proxy flow by reading this blog post.

When looking at the stages of the request flow in the Policy Editor, which policies are shown?
Step 3: Learn about how to assign a policy to a proxy

Edit a policy and assign it to your proxy flow. This blog will ensure you know how to identify the proper stage to add a policy, as well as how to assign a policy to the flow.

What is the value for ref in the the APIKey tag for the CheckAPIKey Policy?
Step 4: Learn about assigning multiple policies

You will look at assigning multiple policies to various processing stages, and how the outcome of one policy can be used to influence the behavior of another policy.

Which property do you set when creating a policy to determine if you should check the response or request?
Step 5: Access the SAP API Management API Portal

Open the SAP API Management API Portal (you can get the URL from Enable the SAP Cloud Platform, API Management Service.

Access the API Portal
Step 6: View created APIs

From the Hamburger Menu in the upper left corner and click on Develop.

Click on Develop
Step 7: Select an API

Select the API GWSAMPLE_BASIC created in a previous step in the this tutorial series.

Select the GWSAMPLE_BASIC Proxy
Step 8: View API Policies

In the upper right corner click on Policies to open the policy information for the API.

Select policies on API page
Step 9: Open the edit page for policies

In the Policy Editor, click on Edit.

Click on Edit
Step 10: Edit the PreFlow policies

Select the PreFlow from the ProxyEndpoint on the left hand side.

Select pre-flow
Step 11: Add Verify API Key policy

On the right hand, find the Security Policies section under the Policies pane. Find the Verify API Key policy and click the + next to the policy name.

Add Verify API Key policy
Step 12: Enter policy name

Enter the Policy Name CheckAPIKey and click on Add.

Enter CheckAPIKey
Step 13: Update API Key tag

In the Code Editor found in the bottom pane, look for the <APIKey ... /> tag. Replace the string variable_containing_api_key with request.header.APIKey.

Adjust the policy
Step 14: Update and save changes

Click on Update to apply the new policies.

Click on Update

Click on Save to save the changes to the API and enforce the new policies.

Click on Save


  • When you now open the API Proxy in a browser you will get an error message stating that you need to pass an API Key in the header APIKey.

Next Steps

Updated 09/13/2017

Time to Complete

20 Min.



Back to top