Skip to main content
All CollectionsDeveloper DocumentationAPI Functionality Documentation
API Policies
API Policies

New feature in Frends 5.8. API Policies provide access management and rate limiting for HTTP and API endpoints.

E
Written by Erkka Honkavaara
Updated over 4 months ago

What you should know If you are upgrading to Frends 5.8 from a prior version:

  • API Policies decouple the authentication from the Process level and moves API Key access management (previously API Key rulesets), OAuth (Previously OpenAPI specifications/API Policies) and the new Private Application tokens under one central view.

  • Policies allow configuring access to different endpoints (path and HTTP method) for different Agent Groups with different access options, such as having API Keys used for development and OAuth for production use and you can even have different authorization options available at the same time for a single Process.

  • Previously throttling was only available for use with API Keys, but now you can use it with other authentication methods and even unauthenticated requests.

  • Because the authentication is now decoupled from the Process, API passthroughs can now leverage the different authorization options available in Frends.

The API Policies page is located in the main navigation bar under APIs β†’ API Policies.

Creating a Policy

To create an API Policy, click on Create new and choose a name. Optionally, add a description and one or more tags. Then, configure the following:

Targeted endpoints and throttling

The Targeted endpoints section specifies the endpoints that the policy affects, and possible throttling. Endpoints are specified by a HTTP method (such as GET) and a path (such as /v1/api/foo). Throttling can be disabled or set to any number of requests per minute, hour or day.

The same endpoint may be specified multiple times with different HTTP methods. If one of those methods specifies the wildcard ALL HTTP method, it takes the lowest precedence. For example:


​

In this situation, the policy affects any calls made to /v1/api/foo using any HTTP method. Additionally, POST requests are throttled to 10 requests per hour.

Identities

Identities specify the authentication methods for the API.

Public access

If no authentication is necessary, enable public access and specify the Agent Groups on which the API should be exposed.

API Key

You may first want to create an API Key.

A single Identity may contain multiple API Keys. API key authentication can be done via a header or a query parameter with a name of your choice. By default, the x-api-key header is used. You may configure throttling on a per key basis.

OAuth

You may first want to configure an OAuth Application.

Select the Agent Groups for for which OAuth authentication should be available, and one or more issuers. To enable throttling by a claim, first select a throttling interval (minute, hour, or day). Then specify the claim and number of requests per interval. Then define any number of claim-based rules to based on which to allow or deny access. If a user token matches multiple OAuth Identities, the Identity with the lowest priority number will be selected.

Private application token

You may first want to configure a Private Application.

Configuring a Private application token Identity is very similar to configuring an OAuth Identity. The only difference is that the issuer(s) do not need to be configured.

Related Articles
API Keys
Introduction to How to test an API and API - Key concepts
Introduction to API Authentication with Frends
API Passthroughs
5.8 Release notes
Did this answer your question?