Skip to content
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.

2.1 Configure Inbound Security

Chris Wiechmann edited this page Dec 5, 2019 · 6 revisions

Inbound Security controls how a consuming application must authenticate themselves against the exposed API. The API-Manager support by default: API-Key, OAuth, OAuth (External), AWS-Signing, HTTP-Basic, Passthrough, Custom-Policy

Please note: As of now only the Default Security-Device is supported. That means, you cannot combine multiple security devices and link it to the API.

Most of the fields are self-explanatory, hence only relevant fields are explained underneath the example. As the Security-Profiles configured here are used by the API-Manager, please review the Axway standard documentation for further information: Configure Inbound request settings

Please note:
If no Security-Profile is configured for your API, it defaults to the PassThrough-Profile.


To enforce an API-Key from consuming applications setup your API with the following Security-Profile and configure it to your needs.

   "name":"API-Key secured API",
   "organization":"API Development",
               "name":"API Key",

Explained fields:
"name":"_default" - Don't change this. Will be used to identify this profile, as the main API-Security profile
"isDefault":true - Don't change this. Basically the same as before
"devices" - As of today, only one security device is supported. Don't add additional devices
"order":0 - Don't change this.
"takeFrom" - Can be HEADER or QUERY


When your API should be secured by OAuth and the API-Manager should become the OAuth-AuthZ-Server add the following Security-Profile.

               "tokenStore":"OAuth Access Token Store",
               "scopes":"resource.WRITE, resource.READ",

OAuth (External)

Use OAuth (External) when an external Token-Provider like Auth0, KeyCloak, etc. is used. Please make sure, the configured Token-Information Policy is in place, if not the deployment will fail, as the program validates it.

            "name":"OAuth (External)",
               "tokenStore":"Tokeninfo policy 1",
               "scopes":"resource.WRITE, resource.READ, resource.ADMIN",

Explained fields:
"name":"_default" - Don't change this. Will be used to identify this profile, as the main API-Security profile
"isDefault":true - Don't change this. Basically the same as before
"devices" - As of today, only one security device is supported. Don't add additional devices
"order":0 - Don't change this.
"takeFrom" - Can be HEADER or QUERY
"tokenStore" - Please provide the name of your token-information policy "subjectSelector" - Only used, when use-client-registry is turned of.

Invoke policy

If you want to use your own custom-policy to authenticate the consuming application use the following instruction:

               "name":"Invoke Policy",
                  "authenticationPolicy":"Custom authentication policy",

If the given Custom-Policy isn't configured in the API-Manager before, you will get an error. I haven't tested, if the internal description-flags will have any impact.