Credentials
A credential is an authentication token that a developer creates within an application to authenticate API requests through the gateway. Credentials are the link between a developer's application and the authentication enforcement on the gateway data plane.
Credential Types
The Developer Portal supports three credential types, corresponding to the authentication types configured on API products:
Key Authentication
Key authentication credentials provide a single API key that the developer includes in API requests (typically as a header or query parameter).
| Field | Description |
|---|---|
| Key | The API key value. Auto-generated if not specified at creation time. |
Basic Authentication
Basic authentication credentials provide a username and password pair that the developer includes in API requests using the HTTP Basic Authentication scheme.
| Field | Description |
|---|---|
| Username | The username for authentication. |
| Password | The password for authentication. |
OAuth (DCR)
OAuth credentials are registered with an external identity provider through Dynamic Client Registration (DCR). When a developer creates an OAuth credential, the portal registers a client with the configured DCR provider and returns the client ID and client secret.
| Field | Description |
|---|---|
| Client ID | The OAuth 2.0 client identifier, assigned by the identity provider. |
| Client Secret | The OAuth 2.0 client secret, assigned by the identity provider. |
| Redirect URIs | The callback URLs registered with the identity provider. |
| Client Secret Expires At | Expiration timestamp for the client secret (0 means no expiration). |
Credential Lifecycle
Creation
A developer creates a credential within an application. The credential type must match one of the authentication types enabled on the API products the application is subscribed to.
- Key auth: If no key is provided, one is auto-generated. The key is AES-encrypted before storage.
- Basic auth: The developer provides a username and password. The password is encrypted before storage.
- OAuth: The portal calls the DCR provider to register a new client. The client ID, client secret, and registration tokens are stored (encrypted) in the portal database.
Regeneration
Developers can regenerate credential authentication configuration:
- Key auth: Generates a new API key, invalidating the previous one.
- Basic auth: Regenerates the password.
- OAuth (HTTP Bridge only): Rotates the client secret through the DCR provider. Secret rotation is not supported for OIDC-type DCR providers.
Deletion
Deleting a credential removes it from the portal database. For OAuth credentials, the portal also deletes the registered client from the identity provider.
How Credentials Work at Runtime
When an API product is published with authentication enabled, the Portal API pushes a portal-auth plugin configuration to the linked gateway services. This plugin validates incoming API requests against the credentials stored in the portal database.
The authentication flow works as follows:
- A developer sends an API request to the gateway, including their credential (API key, basic auth header, or OAuth token).
- The gateway's
portal-authplugin extracts the credential from the request. - The plugin queries the Portal API's cached developer lookup service to validate the credential.
- If the credential is valid and the developer has an active subscription to the API product, the request is forwarded to the upstream service.
- If the credential is invalid or the developer does not have a valid subscription, the gateway returns an authentication error.
Security
- All credential secrets (API keys, passwords, client secrets, registration access tokens) are AES-encrypted before storage in the database.
- Credential values are only returned in full at creation time. Subsequent API responses mask sensitive fields.
- Each credential is linked to a developer identifier record that enables indexed lookups without exposing the raw credential value.