API Policies

Authentication and logging rules for your API endpoints.

API Policies are used to authenticate API callers as well as manage the logging and throttling options for the endpoints.

API Policy for setting up API key authentication.

API Policy creation

In an API policy, you define the name for the policy and what API endpoints and HTTP methods it is targeting. It can either target few specific endpoints, or include implicit wildcard to match whole API and not specific endpoints or methods for them. Throttling can also be set for each endpoint. Each policy can also target multiple APIs and endpoints not defined in any API, if there are other resources under Frends environment's url you would like the policy to consider.

API authentication

To set up authentication into the policy, you can create a New identity to the policy. Options here are OAuth, private application and API key, as well as public access, which would enable anyone to access the specified endpoints without authentication.

  • OAuth here refers to external OAuth application authentication, which can be connected to Frends through Administration > OAuth applications menu.

  • Private application refers to OAuth authentication where the issuer is not defined, or is the Frends tenant itself. These can be configured under Administration > Private applications menu.

  • API key can be configured under Administration > API keys menu, which are then enabled to be used in the specified API endpoints here.

Each API authentication method also supports throttling based on the identity.

Logging configuration

Finally, you can add a logging configuration to the API policy, to define whether or not API events should be logged for the targeted endpoints in specified Environments, and what details are logged.

API logging configuration options.

These can be useful to set up separately for development, testing and production uses, both to enable better debugging capabilities but also to then reduce logged data amounts from production use as well as for privacy and security reasons.

Combining policies

Combining the freely defined targeted endpoints, public access identity rule and logging options, the policies makes it possible to define purely logging-specific policies in addition to authentication policies. If multiple policies target the same endpoints, it is possible to separate authentication, logging and throttling options into multiple policies, as well as creating global policies that set up the default values for your Environments.

Last updated

Was this helpful?