Enable Key Authentication for Application Registration

    The key auth plugin uses the same Client ID as generated for the Kong OAuth2 plugin. You can use the same Client ID credential for a Service that has the OAuth2 plugin enabled.

    • Enable the Application Registration plugin on a Service.
    • Activate your application for a Service if you have not already done so. The Service Contract must be approved by an Admin if auto approve is not enabled.
    • if you don’t want to use the default credential initially created for you.

    In Kong Manager, access the Service for which you want to enable key authentication for use with application registration:

    1. From your Workspace, in the left navigation pane, go to API Gateway > Services.
    2. On the Services page, select the Service and click View.
    3. In the Plugins pane in the Services page, click Add a Plugin.

    4. On the Add New Plugin page in the Authentication section, find the Key Authentication Plugin and click Enable.

    5. Complete the fields as appropriate for your application. In this example, the Service is already prepopulated. Refer to the parameters described in the next section, , to complete the fields.

    6. Click Create.

    Generate a Client ID credential to use as an API key. You can generate multiple credentials.

    1. Application Authentication Pane

      Now you can make requests using the Client ID as an API Key.

    The Client ID of your credentials can be used as an API key to make authenticated requests to a Service.

    Tip: You can also access key request instructions directly within the user interface from the information icon in the Services details area of your application. Click the i icon to open the Service Details page.

    Scroll to view all of the available examples.

    Service Details Page Embedded Key Usage Instructions

    Use cases for key locations:

    • Recommended: Use (enabled by default) as the most common and secure way to do service-to-service calls.
    • If you need to share links to browser clients, use key_in_query (enabled by default). Note that query parameter requests can appear within application logs and URL browser bars, which expose the API key.
    • If you are sending a form with a browser, such as a login form, use key_in_body. This option is set to false by default because it’s a less common use case, and is a more expensive and less performant HTTP request.

    cURL

    HTTPie

    1. http {proxy}/{route}?apikey={CLIENT_ID}

    Response (will be the same for all valid requests regardless of key location):

    cURL

    HTTPie

    1. curl -X POST {proxy}/{route} \
    2. --header "apikey: {CLIENT_ID}"

    cURL

    HTTPie

    1. curl -X POST {proxy}/{route} \
    2. --data "apikey:={CLIENT_ID}"

    Note: The key_in_body parameter must be set to .