If I have a restful API with 2 resources in an API -

• POST /r1
• PATCH /r2

The API is protected with x-Gateway-APIKey request header.

Consumer 1 is allowed to access only /r1, and consumer 2 is allowed to access only /r2.
How to achieve the same?
With OAuth, I can restrict the consumers with scoping, however the API is to be protected only with x-Gateway-APIKey request header.

Please sugggest.

Hi @mofarhan,
As you said this can be easily achievable using OAuth scope.

The other option i could think of is to create the scope for each resources .
Under each scope use the identify and authorize policy.
Under authorize policy we should use API key and header name to authenticate the request.

In my use case i created an application and inside the application we have 2 headers one for each resource.

And now when i am invoking the request I am passing the header also apart from API key.
And this should get validated.

I am attaching the sample API along with application for you reference.
WorkflowAPI.zip (13.3 KB)
WorkFlowApplication.zip (12.7 KB)

Curl command used for testing the API:
curl --location --request POST ‘http://replaceWithTenantName/gateway/WorkflowAPI/1.0/2mEU92D7mY’ \

–header ‘Content-Type: application/json’ \

–header ‘Accept: application/json’ \

–header 'x-Gateway-APIKey: c31bc8ba-1299-4034-badf-1c118abaa786 ’ \

–header ‘CustomerResourceID: 11223344’

Let me know if this solves your usecase problem.

Regards
Vikash Sharma

@Vikash_Sharma1 Thanks. Let me go through your solution. However, the product version I use is 10.7 and I am not able to import the same. I get this error - Importing an archive failed.
The selected archive is not supported by this API Gateway version. The archive was exported from API Gateway version: 11.0. If possible, please export them using a lower version.

@mofarhan,
I have developed this on higher version.
Putting some screenshot for your reference.

Application:

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/662bb2a6161166e0fc11404857b964bcf326d33e_2_1035x649.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/662bb2a6161166e0fc11404857b964bcf326d33e.png 2x" data-dominant-color="F8F3F4">

image1083×681 43.3 KB

API

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/43a819c4cf4474e617a42aeedb4b28576af4436b_2_1035x552.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/43a819c4cf4474e617a42aeedb4b28576af4436b.png 2x" data-dominant-color="EFF0F1">

image1333×711 65.4 KB

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/24f9b34a0ddbdca4b51372af5d5085ad2115fa52_2_1035x364.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/24f9b34a0ddbdca4b51372af5d5085ad2115fa52_2_1380x486.png 2x" data-dominant-color="EFEFF0">

image1855×655 94.7 KB

Let me know if this helps.

Regards
Vikash Sharma

Great. Crystal clear. Thanks for your support each time.