Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

Credentials

The following are plugin attributes available for configurations on credentials.

  • key_id

    string

    required

    Unique identifier for the consumer, which identifies the associated configurations such as the secret key.

  • secret_key

    string

    required

    Secret key used to generate an HMAC.

    The key is encrypted with AES before being stored in etcd. You can also store it in an environment variable and reference it using the env:// prefix, or in a secret manager such as HashiCorp Vault's KV secrets engine, and reference it using the secret:// prefix. For more information, see secrets.

Routes or Services

The following are plugin attributes available for configurations on routes or services.

  • allowed_algorithms

    array[string]

    default: ["hmac-sha1", "hmac-sha256", "hmac-sha512"]

    The list of HMAC algorithms allowed.

  • clock_skew

    integer

    default: 300

    vaild vaule:

    greater than or equal to 1

    Maximum allowable time difference in seconds between the client request's timestamp and APISIX server's current time. This helps account for discrepancies in time synchronization between the client’s and server’s clocks and protect against replay attacks. The timestamp in the Date header (must be in GMT format) will be used for the calculation.

  • signed_headers

    array[string]

    The list of HMAC-signed headers that should be included in the client request's HMAC signature.

  • validate_request_body

    boolean

    If true, validate the integrity of the request body to ensure it has not been tampered with during transmission. Specifically, the plugin creates a SHA-256 base64-encoded digest and compare it to the Digest header. If the Digest` header is missing or if the digests do not match, the validation fails.

  • hide_credentials

    boolean

    default: false

    If true, do not pass the authorization request header to upstream services.

  • anonymous_consumer

    string

    Anonymous consumer name. If configured, allow anonymous users to bypass the authentication. See Rate Limit with Anonymous Consumer for more details.

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2025. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation