Oracle API Platform Cloud Service: Configuring Key Validation and Header-Based Routing Policies

You can use a key validation policy to identify the incoming requests from registered applications by setting a header that includes the application key. This helps you to avoid servicing anonymous requests.

1. On the API Implementation tab, in the Available Policies section, expand Security, hold the cursor over Key Validation, and click Apply.

   

2. On the Apply Policy page, click Next.

   

3. On the Apply Policy page, enter or select the following values in these fields, and then click Apply:

   • Key Delivery Approach: Header
   • Key Header: my-key

   

   The Key Validation policy appears on the Request tab of the API Implementation panel.

   

4. On the APIs page, click Save Changes.

   

After you add the key validation policy to the Energy API, you must redeploy the API to activate the policy.

1. On the Deployments tab, hold the cursor over the production gateway name where the API is deployed, and then click Redeploy.

   

2. On the Redeploy menu, click Latest Iteration.

   

3. On the Deployment page, enter a comment about the reason to redeploy, and click Yes.

   

4. On the Deployments tab, wait until the deployment is complete before testing your API.

   

   Note: If the deployment isn't moved from the Waiting tab to the Deployed tab, then try refreshing the page.

   The Deployed tab is automatically updated when the API is deployed, and the date is updated with a new deployment date.

   

After the redeployment is complete, the API applies the key validation policy to the incoming requests, and the requests that don't include the application key, or include a wrong key, are rejected.

1. Build your API URL using this format:

   http://hostname.domain:port/api_endpoint_url/resource_path

2. Open the Postman client, enter or select the following values in these fields, and then click Send:

   • Method: GET
   • API URL: your API URL

   

   The request is rejected because it didn't include the my-key header.

   

3. In the Postman client, enter or select the following values in these fields, and then click Send:

   • Method: GET
   • API URL: your API URL
   • Header key/value: my-key / test

   

   The request is rejected because the my-key header included an invalid key.

   

4. In the Postman client, enter or select the following values in these fields, and then click Send:

   • Method: GET
   • API URL: your API URL
   • Header key/value: my-key / your application key

   

   Note: If you don't remember how to find your application key, go to the Applications page and then go to the Settings page of the registered application, where the App Key is displayed.

   

   The request retrieves the correct response because the application key was included in the request headers.

   

Header-based routing policies are used to route the incoming requests to specific service request URLs based on a header value. This policy lets you split a service into different back-end services to load balance the API traffic by including specific header values.

1. On the API Implementation tab, in the Available Policies section, expand Routing, hold the cursor over Header Based Routing, and click Apply.

   

2. On the Apply Policy page, select Key Validation from the Place after the following policy list, and then click Next.

   

3. On the Apply Policy page, enter or select the following values in these fields, and then click Add a new condition.

   • Condition 1 Header: server
   • Condition 1 Expression: <=
   • Condition 1 Value: 1
   • Condition 1 Set Service Request URL To: your_first_energy_api_implementation

   

   Note: If you don't have your own implementation of the Energy API, then use this service request URL as an example: http://private-b4f96-energy1.apiary-mock.com.

4. In the Condition 2 section, enter or select the following values in these fields, and then click Apply:

   • Header: server
   • Expression: >=
   • Value: 2
   • Set Service Request URL To: your_second_energy_api_implementation
   • OTHERWISE: Keep Default Service Request URL

   

   Note: If you don't have a second implementation of the Energy API, then use this service request URL as an example: http://private-bc194-energy7.apiary-mock.com.

   The Header Based Routing policy appears on the Request tab of the API Implementation panel.

   

5. On the APIs page, click Save Changes.

   

After you add the header-based routing policy to the Energy API, you must redeploy the API to activate the policy.

1. On the Deployments tab, hold the cursor over the gateway name where the API is deployed, and then click Redeploy.

   

2. On the Redeploy menu, click Latest Iteration.

   

3. On the Deployment page, enter a comment about the reason to redeploy, and click Yes.

   

4. On the Deployments tab, wait until the deployment is complete before testing your API.

   

   Note: If the deployment isn't moved from the Waiting tab to the Deployed tab, then try refreshing the page.

   The Deployed tab is automatically updated when the API is deployed, and the date is updated with a new deployment date.

   

After the redeployment is complete, the API applies the header-based routing policy to the incoming requests.

1. Build your API URL using this format:

   http://hostname.domain:port/api_endpoint_url/resource_path

2. In the Postman client, enter or select the following values in these fields, and then click Send:

   • Method: GET
   • API URL: your API URL
   • Header key/value: my-key / your application key
   • Header key/value: server / 0

   

   The result you get is retrieved from the first back-end service.

   

3. In the Postman client, enter or select the following values in these fields, and then click Send:

   • Method: GET
   • API URL: your API URL
   • Header key/value: my-key / your application key
   • Header key/value: server / 5

   

   The retrieved result is from the second back-end service.