Video: Check out this short video for an introduction on securing your API.
What you'll learn
This tutorial explains how to:
Create an API proxy that requires an API key.
Create an API product, a developer, and a developer app.
Call your API with an API key.
It's important to protect your API from unauthorized access. One way to do that is with
API keys.
When an app makes a request to an API proxy that is configured to verify an API
key, the app must supply a valid key. At runtime, the
Verify API Key policy checks that the supplied API key:
Is valid
Hasn't been revoked
Matches the API key for the API product that exposes the requested resources
If the key is valid, the request is allowed. If the key is invalid, the request results in
an authorization failure.
Select your organization using the drop-down menu in the upper left corner of the UI.
Click Develop > API Proxies to display the API
proxies list.
Click Create New.
In the Build a Proxy wizard, select Reverse proxy (most common).
Configure the proxy as follows:
In this field
do this
Proxy Name
Enter: helloworld_apikey
Project Base Path
Change to: /helloapikey
The Project Base Path is part of the URL used to make requests to the API
proxy.
Description
Enter: hello world protected by API key
Target (Existing API)
Enter: http://mocktarget.apigee.net
This defines the target URL that Apigee invokes on a request to the API
proxy. This target just returns a simple response: Hello, Guest!.
Click Next.
On the Common policies page, select API Key.
This option automatically adds two policies to your
API proxy and creates an API product needed for generating the API key.
Click Next.
On the Summary page, make sure a deployment environment is
selected, and click Create and deploy.
Click Edit proxy to display the
Overview page for the API proxy.
View the policies
In the API proxy editor, click the Develop tab. You'll see that two
policies have been added to the request flow of the API proxy:
Verify API Key – Checks the API call to make sure a valid
API key is present (sent as a query parameter).
Remove Query Param apikey – An Assign Message policy that
removes the API key after it's checked, so that it doesn't get passed around and
exposed unnecessarily.
Click the Verify API Key policy icon in the flow view, and look at the policy's XML
configuration in the lower code view. The <APIKey> element tells the
policy where it should look for the API key when the call is made. By default, it looks
for the key as a query parameter called apikey in the HTTP request:
<APIKey ref="request.queryparam.apikey" />
The name apikey is arbitrary and can be any property that contains the
API key.
Try to call the API
In this step, you'll make a successful API call directly to the target service, then
you'll make an unsuccessful call to the API proxy to see how it's being protected by the
policies.
Success
In a web browser, go to the following address. This is the target service that the API
proxy is configured to forward the request to, but you'll hit it directly for now:
http://mocktarget.apigee.net
You should get this successful response: Hello, Guest!
Without the Verify API Key policy, this call would give you the same response as the
previous call. But in this case, you should get the following error response:
{"fault":{"faultstring":"Failed to resolve API Key variable request.queryparam.apikey","detail":{"errorcode":"steps.oauth.v2.FailedToResolveAPIKey"}}}
which means, correctly, that you didn't pass a valid API key (as a query
parameter).
In the next steps, you'll get the required API key.
Adding an API product
To add an API product using the Apigee UI:
Select Publish > API Products.
Click +Create.
Enter the Product Details for your API product.
Field
Description
Name
Internal name of the API product. Do not specify special characters in the name. Note: You cannot edit the name once the API product is created.
Display name
Display name for the API product. The display name is used in the UI and you can edit it at any time. If not specified, the Name value will be used. This field is auto-filled using the Name value; you can edit or delete its contents. The display name can include special characters.
Description
Description of the API product.
Environment
Environments to which the API product will allow access. For example, test or prod.
Access
Select Public.
Automatically approve access requests
Enable automatic approval of key requests for this API product from any app.
Quota
Ignore for this tutorial.
Allowed OAuth Scopes
Ignore for this tutorial.
In the Operations section, click ADD AN OPERATION.
In the API Proxy field, select the API proxy you just created.
In the Path field, enter "/". Ignore the other fields.
Click Save to save the Operation.
Click Save to save the API product.
Add a developer and app to your
organization
Next, we're going to simulate the workflow of a developer signing up to use your APIs. A
developer will have one or more apps that call your APIs, and each app gets a unique API key.
This gives you, the API provider, more granular control over access to your APIs and more
granular reporting on API traffic by app.
Create a developer
To create a developer:
Select Publish > Developers in the menu. Note: If you are still in the Develop screen, click on the "<" by DEVELOP to display the menu and select Publish > Developers
Click + Developer.
Enter the following in the New Developer window:
In this field
enter
First Name
Keyser
Last Name
Soze
Username
keyser
Email
keyser@example.com
Click Create.
Register an app
To register a developer app:
Select Publish > Apps.
Click + App.
Enter the following in the New Developer App window:
In this field
do this
Name and Display Name
Enter: keyser_app
Developer
Select: Keyser Soze (keyser@example.com)
Callback URL and Notes
Leave blank
In the Credentials section, select Never.
The credentials for this app will never expire.
Click Add product.
Select the product you just created.
Click Create.
Get the API key
To get the API key:
On the Apps page (Publish > Apps), click keyser_app.
On the keyser_app page, click Show next to Key in the
Credentials section. Notice that the key is associated with the product you created.
Select and copy the key. You'll use it in the next step.
Call the API with a key
Now that you have an API key, you can use it to call the API proxy. Paste the API key as
shown, as a query parameter. Make sure there are no extra
spaces in the query parameter.
Note that to fully complete the change, you'd also need to configure the Assign Message
policy to remove the header instead of the query parameter. For example:
API protection often involves additional security such as OAuth, an
open protocol that exchanges credentials (like username and password) for
access tokens. Access tokens are long, random strings that can be passed through a message
pipeline, including from app to app, without compromising the original credentials.
For an overview of security-related topics, see
Securing a proxy.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis guide demonstrates how to secure APIs in Apigee and Apigee hybrid using API keys to prevent unauthorized access.\u003c/p\u003e\n"],["\u003cp\u003eThe tutorial walks through the process of creating an API proxy, configuring it to require API keys, and setting up policies to verify and remove the API key.\u003c/p\u003e\n"],["\u003cp\u003eIt explains how to create API products, developers, and developer apps, which are needed to generate API keys for accessing the protected API proxy.\u003c/p\u003e\n"],["\u003cp\u003eThe document illustrates how to test the API proxy by making calls with and without a valid API key, showcasing the security enforcement.\u003c/p\u003e\n"],["\u003cp\u003eIt highlights the best practice of passing API keys in the HTTP header (x-apikey) instead of as a query parameter for enhanced security, and details the required modifications to the API proxy.\u003c/p\u003e\n"]]],[],null,["# Secure an API by requiring API keys\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\n| **Note:** This video was recorded with a previous version of the Apigee UI; however, the concepts are still valid.\n\n\n**Video:** Check out this short video for an introduction on securing your API. \n**What you'll learn**\n\nThis tutorial explains how to:\n\n- Create an API proxy that requires an API key.\n- Create an API product, a developer, and a developer app.\n- Call your API with an API key. \nIt's important to protect your API from unauthorized access. One way to do that is with\nAPI keys.\n\nWhen an app makes a request to an API proxy that is configured to verify an API\nkey, the app must supply a valid key. At runtime, the\nVerify API Key policy checks that the supplied API key:\n\n- Is valid\n- Hasn't been revoked\n- Matches the API key for the API product that exposes the requested resources\n\nIf the key is valid, the request is allowed. If the key is invalid, the request results in\nan authorization failure. \n\nCreate the API proxy\n--------------------\n\n1. Go to the [Apigee UI](https://apigee.google.com) and sign in.\n2. Select your organization using the drop-down menu in the upper left corner of the UI.\n3. Click **Develop \\\u003e API Proxies** to display the API\n proxies list.\n\n4. Click **Create New** . \n5. In the Build a Proxy wizard, select **Reverse proxy (most common)**.\n6. Configure the proxy as follows: \n\n7. Click **Next**.\n8. On the **Common policies** page, select **API Key**. This option automatically adds two policies to your API proxy and creates an API product needed for generating the API key.\n9. Click **Next**.\n10. On the Summary page, make sure a deployment environment is selected, and click **Create and deploy**.\n11. Click **Edit proxy** to display the Overview page for the API proxy. \n\nView the policies\n-----------------\n\n1. In the API proxy editor, click the **Develop** tab. You'll see that two policies have been added to the request flow of the API proxy:\n - **Verify API Key** -- Checks the API call to make sure a valid API key is present (sent as a query parameter).\n - **Remove Query Param apikey** -- An Assign Message policy that removes the API key after it's checked, so that it doesn't get passed around and exposed unnecessarily.\n2. Click the Verify API Key policy icon in the flow view, and look at the policy's XML\n configuration in the lower code view. The `\u003cAPIKey\u003e` element tells the\n policy where it should look for the API key when the call is made. By default, it looks\n for the key as a query parameter called `apikey` in the HTTP request:\n\n ```text\n \u003cAPIKey ref=\"request.queryparam.apikey\" /\u003e\n ```\n\n The name `apikey` is arbitrary and can be any property that contains the\nAPI key. \n\nTry to call the API\n-------------------\n\nIn this step, you'll make a successful API call directly to the target service, then\nyou'll make an unsuccessful call to the API proxy to see how it's being protected by the\npolicies.\n\n1. **Success**\n\n In a web browser, go to the following address. This is the target service that the API\n proxy is configured to forward the request to, but you'll hit it directly for now: \n\n ```text\n http://mocktarget.apigee.net\n ```\n\n You should get this successful response: `Hello, Guest!`\n2. **Failure**\n\n Now try to call your API proxy: \n\n ```\n curl -v -k https://YOUR_ENV_GROUP_HOSTNAME/helloapikey\n ```\n\n where \u003cvar translate=\"no\"\u003eYOUR ENV_GROUP_HOSTNAME\u003c/var\u003e is the environment group hostname. See\n [Find the environment group hostname](/apigee/docs/api-platform/get-started/test-proxy#find-the-environment-group-hostname).\n | **Note:** If you have trouble calling the proxy, you may need to add the `Host` header, as described in [Deploy a sample proxy](/apigee/docs/api-platform/get-started/deploy-sample).\n\n Without the Verify API Key policy, this call would give you the same response as the\n previous call. But in this case, you should get the following error response: \n\n ```gdscript\n {\"fault\":{\"faultstring\":\"Failed to resolve API Key variable request.queryparam.apikey\",\"detail\":{\"errorcode\":\"steps.oauth.v2.FailedToResolveAPIKey\"}}}\n ```\n\n which means, correctly, that you didn't pass a valid API key (as a query\n parameter).\n\nIn the next steps, you'll get the required API key. \n\nAdding an API product\n---------------------\n\nTo add an API product using the Apigee UI:\n\n1. Select **Publish \\\u003e API Products**.\n2. Click **+Create**.\n3. Enter the Product Details for your API product. \n\n4. In the **Operations** section, click **ADD AN OPERATION**.\n5. In the API Proxy field, select the API proxy you just created.\n6. In the Path field, enter \"/\". Ignore the other fields.\n7. Click **Save** to save the Operation.\n8. Click **Save** to save the API product. \n\nAdd a developer and app to your\norganization\n--------------------------------------------\n\nNext, we're going to simulate the workflow of a developer signing up to use your APIs. A\ndeveloper will have one or more apps that call your APIs, and each app gets a unique API key.\nThis gives you, the API provider, more granular control over access to your APIs and more\ngranular reporting on API traffic by app.\n\n### Create a developer\n\nTo create a developer:\n\n1. Select **Publish \\\u003e Developers** in the menu. \n **Note** : If you are still in the Develop screen, click on the **\"\\\u003c\"** by **DEVELOP** to display the menu and select **Publish \\\u003e Developers**\n2. Click **+ Developer**.\n3. Enter the following in the New Developer window: \n\n4. Click **Create**.\n\n### Register an app\n\nTo register a developer app:\n\n1. Select **Publish \\\u003e Apps**.\n2. Click **+ App**.\n3. Enter the following in the New Developer App window: \n\n4. In the Credentials section, select **Never**. The credentials for this app will never expire.\n5. Click **Add product**.\n6. Select the product you just created.\n7. Click **Create**.\n\n### Get the API key\n\nTo get the API key:\n\n1. On the Apps page (Publish \\\u003e Apps), click **keyser_app**.\n2. On the **keyser_app** page, click **Show** next to **Key** in the **Credentials** section. Notice that the key is associated with the product you created. \n3. Select and copy the key. You'll use it in the next step. \n\nCall the API with a key\n-----------------------\n\nNow that you have an API key, you can use it to call the API proxy. Paste the API key as\nshown, as a query parameter. Make sure there are no extra\nspaces in the query parameter. \n\n```\ncurl -v -k https://YOUR_ENV_GROUP_HOSTNAME/helloapikey?apikey=your_api_key\n```\n\nNow when you call the API proxy, you should get this response: `Hello,\nGuest!`\n\nCongratulations! You've created an API proxy and protected it by requiring that a valid\nAPI key be included in the call.\n\nNote that in general it's not good practice to pass an API key as a query parameter. You\nshould consider [passing it in the HTTP\nheader instead](#extracreditpassingthekeyinthehttpheader). \n\nBest practice: Passing the key in the HTTP\nheader\n-------------------------------------------------\n\n| **Note:** It's a good practice to pass the API key in a header rather than in a query parameter. Query parameters appear in the browser history and network logs, which could present a security risk. Headers do not appear in the browser history and network logs.\n\nIn this step, you will modify the proxy to look for the API key in a header called `x-apikey`.\n\n1. Edit the API proxy. Select **Develop \\\u003e API Proxies \\\u003e\n helloworld_apikey** , and go to the **Develop** view.\n2. Select the **Verify API Key** policy, and modify the policy XML to tell\n the policy to look in the `header` rather than in the\n `queryparam`:\n\n ```text\n \u003cAPIKey ref=\"request.header.x-apikey\"/\u003e\n ```\n3. **Save** the API proxy and use **Deploy** to deploy it.\n4. Make the following API call using cURL to pass the API key as a header called\n `x-apikey`. Don't forget to substitute your organization name.\n\n ```scdoc\n curl -v -H \"x-apikey: {api_key_goes_here}\" http://YOUR_ENV_GROUP_HOSTNAME/helloapikey\n ```\n\nNote that to fully complete the change, you'd also need to configure the Assign Message\npolicy to remove the header instead of the query parameter. For example: \n\n```\n\u003cRemove\u003e\n \u003cHeaders\u003e\n \u003cHeader name=\"x-apikey\"/\u003e\n \u003c/Headers\u003e\n\u003c/Remove\u003e\n```\n| **Note:** You could also pass the API key as a form parameter. If you did, the Verify API Key policy would be configured like this: \n|\n| ```scdoc\n| \u003cAPIKey ref=\"request.formparam.{api_key_goes_here}\"/\u003e\n``` \n\nRelated topics\n--------------\n\nHere are some topics related to API products and keys:\n\n- [Managing API products](/apigee/docs/api-platform/publish/create-api-products)\n- [API keys](/apigee/docs/api-platform/security/api-keys)\n- [Registering app\n developers](/apigee/docs/api-platform/publish/adding-developers-your-api-product)\n- [Register apps and\n manage API keys](/apigee/docs/api-platform/publish/creating-apps-surface-your-api)\n- [Verify API Key\n policy](/apigee/docs/api-platform/reference/policies/verify-api-key-policy)\n\nAPI protection often involves additional security such as [OAuth](/apigee/docs/api-platform/security/oauth/oauth-home), an\nopen protocol that exchanges credentials (like username and password) for\naccess tokens. Access tokens are long, random strings that can be passed through a message\npipeline, including from app to app, without compromising the original credentials.\n\nFor an overview of security-related topics, see\n[Securing a proxy](https://cloud.google.com/apigee/docs/api-platform/security/api-security)."]]
