API Policies

API Policies are used to authenticate API callers with API keys or OAuth bearer token, as well as to manage the logging and throttling options for the endpoints.

API Policies allow you to define the targeted API endpoints that the policy applies to. It can also target the endpoints through implicit wildcard if only the beginning of a URL is specified.

API Authentication

For each API Policy, either one or more authentication methods can be defined, ranging from externally defined OAuth providers to locally defined API keys. In addition, the APIs can be set to be publicly available, requiring no authentication. In Frends, the lack of authentication method setup or API Policy for your API does not mean public access, but rather no access. An API Policy is required to be set up to allow anyone to connect to it.

Logging policies

Finally, you can add a logging configuration to the API policy, to define whether or not API events should be logged for the targeted endpoints in specified Environments, and what details are logged.

Like with authentication, not setting up a logging policy will mean no logging for the APIs. This is to avoid increasing load and storage requirements by default, and only enabling logging will give you access to it.

This only applies for the API connection logging, available in API Monitoring. Linked Processes in your APIs will be logged as per the Environment log settings.

Combining policies

Combining the freely defined targeted endpoints, public access identity rule and logging options, the policies makes it possible to define purely logging-specific policies in addition to authentication policies. If multiple policies target the same endpoints, it is possible to separate authentication, logging and throttling options into multiple policies, as well as creating global policies that set up the default values for your Environments.

Check here for a guide on how to create an API Policy.