Summary
Add support for API Key authentication to the CRUD API Plugin. Currently, the only supported authentication method is Microsoft Entra ID (see Entra auth how-to and CrudApiPlugin reference). Many APIs use API Key authentication, and Dev Proxy should support simulating this scenario as well.
Spec
Following the existing pattern used for Entra auth, we should add a new apiKey auth mode and a corresponding apiKeyAuthConfig section. This update will support passing keys via a header, or a request query-string.
Proposed API file schema
{
"$schema": "...",
"baseUrl": "https://api.contoso.com/v1/customers",
"dataFile": "customers-data.json",
"auth": "apiKey",
"apiKeyAuthConfig": {
"headerName": "x-api-key",
"apiKey": "my-secret-key",
"queryParameterName": "api_key"
},
"actions": [
{ "action": "getAll" },
{ "action": "getOne", "url": "/{customer-id}", "query": "$.[?(@.id == {customer-id})]" },
{ "action": "create" },
{ "action": "merge", "url": "/{customer-id}", "query": "$.[?(@.id == {customer-id})]" },
{ "action": "update", "url": "/{customer-id}", "query": "$.[?(@.id == {customer-id})]" },
{ "action": "delete", "url": "/{customer-id}", "query": "$.[?(@.id == {customer-id})]" }
]
}Configuration properties
| Property |
Type |
Required |
Description |
auth |
string |
Yes |
Set to "apiKey" to enable API Key authentication. |
apiKeyAuthConfig.headerName |
string |
No |
The HTTP header name to read the API key from. Defaults to x-api-key. |
apiKeyAuthConfig.apiKey |
string |
Yes |
The valid API key. |
apiKeyAuthConfig.queryParameterName |
string |
No |
The name of the query-string parameter to read the API key from. |
Behavior
- When
auth is set to "apiKey", the plugin checks the configured header or query parameter for the valid API key on every request.
- If both the header and the query parameter are configured, the plugin checks both locations for the API key. If either carries the valid key, the request is authorized.
- If neither the header nor query param is present or valid, return
401 Unauthorized.
- If the key is valid, the request proceeds normally.
Summary
Add support for API Key authentication to the CRUD API Plugin. Currently, the only supported authentication method is Microsoft Entra ID (see Entra auth how-to and CrudApiPlugin reference). Many APIs use API Key authentication, and Dev Proxy should support simulating this scenario as well.
Spec
Following the existing pattern used for Entra auth, we should add a new
apiKeyauth mode and a correspondingapiKeyAuthConfigsection. This update will support passing keys via a header, or a request query-string.Proposed API file schema
{ "$schema": "...", "baseUrl": "https://api.contoso.com/v1/customers", "dataFile": "customers-data.json", "auth": "apiKey", "apiKeyAuthConfig": { "headerName": "x-api-key", "apiKey": "my-secret-key", "queryParameterName": "api_key" }, "actions": [ { "action": "getAll" }, { "action": "getOne", "url": "/{customer-id}", "query": "$.[?(@.id == {customer-id})]" }, { "action": "create" }, { "action": "merge", "url": "/{customer-id}", "query": "$.[?(@.id == {customer-id})]" }, { "action": "update", "url": "/{customer-id}", "query": "$.[?(@.id == {customer-id})]" }, { "action": "delete", "url": "/{customer-id}", "query": "$.[?(@.id == {customer-id})]" } ] }Configuration properties
authstring"apiKey"to enable API Key authentication.apiKeyAuthConfig.headerNamestringx-api-key.apiKeyAuthConfig.apiKeystringapiKeyAuthConfig.queryParameterNamestringBehavior
authis set to"apiKey", the plugin checks the configured header or query parameter for the valid API key on every request.401 Unauthorized.