Skip to main content

a6-plugin-key-auth

Overview

The key-auth plugin authenticates requests using API keys. Clients include a key in a header, query parameter, or cookie. APISIX looks up the key against consumer credentials and, on match, forwards the request with consumer identity headers. On failure it returns 401 Unauthorized.

When to Use

  • Protect routes with simple API-key authentication
  • Identify which consumer is calling an API
  • Combine with rate-limiting for tiered access (authenticated vs anonymous)
  • Hide credentials from upstream services

Plugin Configuration Reference (Route/Service)

FieldTypeRequiredDefaultDescription
headerstringNo"apikey"Header name to extract API key from
querystringNo"apikey"Query parameter name (lower priority than header)
hide_credentialsbooleanNofalseRemove key from request before forwarding upstream
anonymous_consumerstringNoConsumer username for unauthenticated requests
realmstringNo"key"Realm in WWW-Authenticate response header on 401

Consumer Credential Reference

FieldTypeRequiredDescription
keystringYesUnique API key for the consumer. Auto-encrypted in etcd.

Key Lookup Priority

  1. Header (default: apikey) — checked first
  2. Query parameter (default: apikey) — checked if header absent
  3. If both absent → 401 Unauthorized with "Missing API key in request"

Step-by-Step: Enable key-auth on a Route

1. Create a consumer

a6 consumer create -f - <<'EOF'
{
"username": "alice"
}
EOF

2. Add key-auth credential to the consumer

Use the Admin API (credentials are sub-resources of consumers):

curl "$(a6 context current -o json | jq -r .server)/apisix/admin/consumers/alice/credentials" \
-X PUT \
-H "X-API-KEY: $(a6 context current -o json | jq -r .api_key)" \
-d '{
"id": "cred-alice-key-auth",
"plugins": {
"key-auth": {
"key": "alice-secret-key-001"
}
}
}'

3. Create a route with key-auth enabled

a6 route create -f - <<'EOF'
{
"id": "protected-api",
"uri": "/api/*",
"plugins": {
"key-auth": {}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"backend:8080": 1
}
}
}
EOF

4. Verify authentication

# Should succeed (200)
curl -i http://127.0.0.1:9080/api/users -H "apikey: alice-secret-key-001"

# Should fail (401)
curl -i http://127.0.0.1:9080/api/users

Common Patterns

Custom header name

{
"plugins": {
"key-auth": {
"header": "X-API-Token"
}
}
}

Client sends: curl -H "X-API-Token: alice-secret-key-001" ...

Query parameter authentication

{
"plugins": {
"key-auth": {
"query": "token"
}
}
}

Client sends: curl "http://127.0.0.1:9080/api/users?token=alice-secret-key-001"

Hide credentials from upstream

{
"plugins": {
"key-auth": {
"hide_credentials": true
}
}
}

The apikey header or query param is stripped before reaching the backend. Always enable this in production.

Anonymous consumer with rate limiting

# Create anonymous consumer with strict limits
a6 consumer create -f - <<'EOF'
{
"username": "anonymous",
"plugins": {
"limit-count": {
"count": 10,
"time_window": 60,
"rejected_code": 429
}
}
}
EOF
{
"plugins": {
"key-auth": {
"anonymous_consumer": "anonymous"
}
}
}

Requests with valid keys → authenticated consumer. Requests without keys → anonymous consumer with rate limits.

Headers Added to Upstream

On successful authentication, APISIX adds:

HeaderValue
X-Consumer-UsernameConsumer's username
X-Credential-IdentifierCredential ID
X-Consumer-Custom-IdConsumer's labels.custom_id (if set)

Troubleshooting

SymptomCauseFix
401 "Missing API key in request"No key in header or queryAdd apikey header or query param
401 "Invalid API key in request"Key does not match any consumerVerify the key value in consumer credentials
Key visible in upstream logshide_credentials is falseSet hide_credentials: true
Anonymous users not workinganonymous_consumer not set or consumer missingCreate the consumer and set the field

Config Sync Example

version: "1"
consumers:
- username: alice
routes:
- id: protected-api
uri: /api/*
plugins:
key-auth: {}
upstream_id: my-upstream
upstreams:
- id: my-upstream
type: roundrobin
nodes:
"backend:8080": 1

Note: Consumer credentials must be created separately via the Admin API; a6 config sync manages the consumer resource but credentials are sub-resources.


This page is generated from a6-plugin-key-auth/SKILL.md in the api7/a6 repository. Browse all skills on the AI Agent Skills page.

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation