How to create and use API keys in Frends

In order to have a basic level of authentication anad authorization enabled for your APIs, API keys can be created, managed and used in Frends for APIs.

Requirements

In order to have access to API key management in Frends, you will need to have Administrator level permissions. At the very least, you should have ApiKeyManagement.Admin permission in your role to be able to access and manage API keys.

You should also have access to creating and editing API Policies, which is granted by the default Editor role in Frends, or byhaving ApiPolicy.Edit permission through a role.

How to create an API key

Start by navigating to Administration > API Keys view from the main menu to access API key management. You can create a new API key by clicking New API Key button top left.

For each API key you create, you need to specify a name and an Environment the key applies to. The key itself will be generated upon saving the key. The generated key value cannot be changed for an API key, only the Environment and name of the API key can be changed after creation.

As a common naming and usage scheme, a key would be created for each Environment, API or a set of APIs, and for each separate actor or system using them. For example, a name of an API key might be "ERP API - Dev - CRM system", if the API is for handling ERP integrations in Development Environment, and for CRM system to use to call the API. This would separate it for example from a webstore platform's API key to use the ERP API, which might be "ERP API - Test - Webstore" instead.

In order to actually use the created keys, we need to add them to an API Policy in order to connect them with an API.

How to use API keys in APIs

After you have created an API key or a set of API keys, we need to head over to APIs > API Policies page to set them up for our APIs.

In order to learn more about creating API Policies, you can check out the guide for it.

With new or existing API Policy, make sure Public access is disabled, and then click on New identity to add an API key to your Policy. The name requested specifies the identity for this Policy and not the API key's name.

With API key identity added, you can specify how the API key should be provided in the API calls, as well as which API keys can access the APIs using this API Policy and identity. When using multiple API keys in the same identity, they will share the throttling settings you can set up for an identity.

If there's a need to separate different users to different identities for throttling or other reasons, you can simply create another identity and add the other API keys there. Note that the API key usage method (header or query parameter) will be shared for all identities.

Because the API keys themselves contain the value which Environment the keys apply to, there is no selection for the targeted Agent Group for API key identities.

Remember to click on Save Changes in order to save the API Policy.