Manage Credentials
Credentials are authentication tokens that you use to make API calls through the gateway. This guide covers how to manage credentials within your applications.
Prerequisites
- A Developer Portal account with an active status.
- An application with at least one active subscription.
Create a Credential
- Log in to the Developer Portal.
- Navigate to My Applications and select your application.
- Go to the Credentials tab (or the tab for the specific authentication type).
- Click Add Credential (or Add Key, Add OAuth Client, depending on the type).
Key Authentication
When creating a key authentication credential:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for the credential. |
| Description | No | Optional description. |
An API key is automatically generated. Copy and securely store the key immediately because it is only shown in full at creation time.
To use the key in API requests, include it in the request header:
curl "https://gateway.example.com/api/endpoint" \
-H "apikey: <your-api-key>"
Basic Authentication
When creating a basic authentication credential:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for the credential. |
| Username | Yes | The username for HTTP Basic Authentication. |
| Password | Yes | The password for HTTP Basic Authentication. |
To use basic auth in API requests:
curl "https://gateway.example.com/api/endpoint" \
-u "username:password"
OAuth (DCR)
When creating an OAuth credential through Dynamic Client Registration:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name for the credential. |
| Identity Provider | Yes | Select the DCR provider configured by the administrator. |
| Redirect URIs | Yes | Callback URLs for the OAuth flow. |
The portal registers a client with the identity provider and returns:
- Client ID: Use this in OAuth flows.
- Client Secret: Use this in OAuth flows. Copy it immediately.
To use the OAuth credential:
- Request an access token from the identity provider using the client ID and secret.
- Include the access token in API requests:
curl "https://gateway.example.com/api/endpoint" \
-H "Authorization: Bearer <access-token>"
View Credentials
Navigate to My Applications > select application > Credentials tab to see all credentials associated with the application. Sensitive values (API keys, passwords, client secrets) are masked after creation.
Regenerate a Credential
If a credential is compromised or you need to rotate it:
- Navigate to the credential in your application.
- Click Regenerate.
- Confirm the action.
The old credential value is immediately invalidated. Copy and securely store the new value.
Regenerating a credential invalidates the previous value immediately. All API requests using the old credential will fail. Update your applications with the new credential before regenerating.
For OAuth credentials, secret rotation is only available when using an HTTP Bridge DCR provider. OIDC-type DCR providers do not support client secret rotation.
Delete a Credential
- Navigate to the credential in your application.
- Click Delete.
- Confirm the deletion.
For OAuth credentials, deleting the credential also removes the registered client from the identity provider.
Multiple Credentials per Application
An application can have multiple credentials of different types. This is useful when:
- An API product supports multiple authentication methods and you want to use different methods for different integrations.
- You need to rotate credentials without downtime by creating a new credential before deleting the old one.