The following defines the different security policies you can enforce on your APIs.
apiKey
clientSecret
oauth2
apiKey
)Enforces API Key authorization to secure api calls.
apiKey
api
, tenant
, resource
x-api-key
)header
)Example:
"security":[ { "type":"apiKey", "scope":"api", "name":"test", "location":"header" } ]
clientSecret
)Enforces Client ID / Client Secret pair authorization to secure api calls.
clientSecret
api
, tenant
, resource
x-client-id
)x-client-secret
)header
)Example:
"security":[ { "type":"clientSecret", "scope":"api", "idFieldName":"X-IBM-ClientId", "secretFieldName":"X-IBM-ClientSecret", "location": "header" } ]
This will create two API keys for the API, which will need to be supplied in the X-IBM-ClientId
and X-IBM-ClientSecret
headers or query strings, respectively.
oauth2
)Perform token introspection for various social login providers and enforce token validation on that basis.
oauth2
api
, tenant
, resource
Example:
"security":[ { "type":"apiKey", "scope":"api", "header":"test" }, { "type":"oauth2", "scope":"api", "provider":"google" } ]
This will require that an apikey is supplied in the test
header, and a valid google OAuth token must be specified in the authorization
header.