HMAC for only private API

[zono]

We have two type of API endpoints; public and private. Is it possible I use HMAC authentication on only private endpoint.

e.g.

GET https://api.example.com/items ... This is public API. No need HMAC.

POST https://api.example.com/users/john/friends ... This is private API. It needs HMAC. We want to confirm that John send this request by checking HMAC signature.

The following is installation of hmac-auth plugin. It does not seem that it has public and private distinction.

curl -i -X POST \
    --url http://localhost:8001/apis/api.example.com/plugins/ \
    --data "name=hmac-auth"

[zono]

I found this plugin installation document. I may choose a way from the following options. This may be what I need it. I will try it.

https://getkong.org/docs/0.9.x/admin-api/#add-plugin

Add Plugin

You can add a plugin in four different ways:

• For every API and Consumer. Don't set api_id and consumer_id.
• For every API and a specific Consumer. Only set consumer_id.
• For every Consumer and a specific API. Only set api_id.
• For a specific Consumer and API. Set both api_id and consumer_id.

[zono]

I think I found a way and it worked.
Do you agree that it is a correct way?

(1) Create 2 APIs with different request_path (without request_host)

curl -i -X POST \
  --url http://localhost:8001/apis/ \
  --data 'name=example-items-api' \
  --data 'upstream_url=http://api.example.com/' \
  --data 'request_path=/items'
  
curl -i -X POST \
  --url http://localhost:8001/apis/ \
  --data 'name=example-users-api' \
  --data 'upstream_url=http://api.example.com/' \
  --data 'request_path=/users'

(2) Apply HMAC plugins for the 'example-users-api' API

curl -i -X POST \
    --url http://localhost:8001/apis/example-users-api/plugins/ \
    --data "name=hmac-auth"

[shashiranjan84]

@y-zono yes, you followed the right way.