Protect your API Proxy by adding an Application Key Verification

In this tutorial you will learn how to protect your API Proxy with a first simple policy - the "Verify API Key" Policy.

Details

You will learn

SAP Cloud Platform, API Management offers several out of the box policies which help you protect, model and “work” with your APIs. One of the security related Policies is the “Verify API Key” Policy.

In this tutorial you will learn how to protect your API Proxy with the “Verify API Key” Policy. This policy allows you to add a simple protection via a so called API Key. Only calls which send a valid API Key along with the main request will be allowed to call the API Proxy.

Step 1: Learn about the API call flow

It is important to understanding the API policy flow so you gain an understanding of why a policy is applied at a certain time in the flow. For instance, access policies should be verified before the API call to reduce using resources unnecessarily. The entire request/response cycle is divided up, first into segments, then within each segment, into processing stages.

Where do you check the fundamentals requirements of an Incoming Request?

Step 2: Learn about the Policy Editor

When creating a policy, you will need to know how the information is available in the policy and policy editor. Understand how the Policy Designer accesses the proxy flow by reading this blog post.

When looking at the stages of the request flow in the Policy Editor, which policies are shown? All policies assigned to the entire flow All policies assigned to the selected endpoint system All policies assigned to the selected stage in the endpoint

Step 3: Learn about how to assign a policy to a proxy

Edit a policy and assign it to your proxy flow. This blog will ensure you know how to identify the proper stage to add a policy, as well as how to assign a policy to the flow.

What is the value for ref in the the APIKey tag for the CheckAPIKey Policy?

Step 4: Learn about assigning multiple policies

You will look at assigning multiple policies to various processing stages, and how the outcome of one policy can be used to influence the behavior of another policy.

Which property do you set when creating a policy to determine if you should check the response or request?

Step 5: Access the SAP API Management API Portal

Open the SAP API Management API Portal (you can get the URL from Enable the SAP Cloud Platform, API Management Service.

Step 6: View created APIs

From the Hamburger Menu in the upper left corner and click on Develop.

Step 7: Select an API

Select the API GWSAMPLE_BASIC created in a previous step in the this tutorial series.

Step 8: View API Policies

In the upper right corner click on Policies to open the policy information for the API.

Step 9: Open the edit page for policies

In the Policy Editor, click on Edit.

Step 10: Edit the PreFlow policies

Select the PreFlow from the ProxyEndpoint on the left hand side.

Step 11: Add Verify API Key policy

On the right hand, find the Security Policies section under the Policies pane. Find the Verify API Key policy and click the + next to the policy name.

Step 12: Enter policy name

Enter the Policy Name CheckAPIKey and click on Add.

Step 13: Update API Key tag

In the Code Editor found in the bottom pane, look for the <APIKey ... /> tag. Replace the string variable_containing_api_key with request.header.APIKey.