package envoy.extensions.filters.http.api_key_auth.v3

Get desktop application:
View/edit binary Protocol Buffers messages

API Key HTTP authentication. For example, the following configuration configures the filter to authenticate the clients using the API key from the header ``X-API-KEY``. And only the clients with the key ``real-key`` are considered as authenticated. .. code-block:: yaml credentials: - key: real-key client: user key_sources: - header: "X-API-KEY"

• repeated Credential credentials = 1

  The credentials that are used to authenticate the clients.

• repeated KeySource key_sources = 2

  The key sources to fetch the key from the coming request.

API key auth configuration of per route or per virtual host or per route configuration.

• repeated Credential credentials = 1

  The credentials that are used to authenticate the clients. If this field is non-empty, then the credentials in the filter level configuration will be ignored and the credentials in this configuration will be used.

• repeated KeySource key_sources = 2

  The key sources to fetch the key from the coming request. If this field is non-empty, then the key sources in the filter level configuration will be ignored and the key sources in this configuration will be used.

• repeated string allowed_clients = 3

  A list of clients that are allowed to access the route or vhost. The clients listed here should be subset of the clients listed in the ``credentials`` to provide authorization control after the authentication is successful. If the list is empty, then all authenticated clients are allowed. This provides very limited but simple authorization. If more complex authorization is required, then use the :ref:`HTTP RBAC filter <config_http_filters_rbac>` instead. .. note:: Setting this field and ``credentials`` at the same configuration entry is not an error but also makes no much sense because they provide similar functionality. Please only use one of them at same configuration entry except for the case that you want to share the same credentials list across multiple routes but still use different allowed clients for each route.

Single credential entry that contains the API key and the related client id.

Used in: ApiKeyAuth, ApiKeyAuthPerRoute

• string key = 1

  The value of the unique API key.

• string client = 2

  The unique id or identity that used to identify the client or consumer.

Used in: ApiKeyAuth, ApiKeyAuthPerRoute

• string header = 1

  The header name to fetch the key. If multiple header values are present, the first one will be used. If the header value starts with 'Bearer ', this prefix will be stripped to get the key value. If set, takes precedence over ``query`` and ``cookie``.

• string query = 2

  The query parameter name to fetch the key. If multiple query values are present, the first one will be used. The field will be used if ``header`` is not set. If set, takes precedence over ``cookie``.

• string cookie = 3

  The cookie name to fetch the key. The field will be used if the ``header`` and ``query`` are not set.