The following defines the different security policies you can enforce on your APIs.
apiKey
clientSecret
oauth2
apiKey
)Enforces API Key authorization to secure api calls.
apiKey
api
, tenant
, resource
x-api-key
)Example:
"security":[ { "type":"apiKey", "scope":"api", "header":"test" } ]
clientSecret
)Enforces Client ID / Client Secret pair authorization to secure api calls.
clientSecret
api
, tenant
, resource
x-client-id
)x-client-secret
)Example:
"security":[ { "type":"clientSecret", "scope":"api", "idFieldName":"X-IBM-ClientId", "secretFieldName":"X-IBM-ClientSecret" } ]
This will create two API keys for the API, which will need to be supplied in the X-IBM-ClientId
and X-IBM-ClientSecret
headers, respectively.
oauth2
)Perform token introspection for various social login providers and enforce token validation on that basis.
oauth2
api
, tenant
, resource
Example:
"security":[ { "type":"apiKey", "scope":"api", "header":"test" }, { "type":"oauth2", "scope":"api", "provider":"google" } ]
This will require that an apikey is supplied in the test
header, and a valid google OAuth token must be specified in the authorization
header.