Validates an API key extracted from each request and resolves its scopes from the configured stores. On success it adds an ApiKeySecurityScheme carrying the scopes to the Exchange, which later plugins test with hasScope("..."). A missing key returns 401 and an invalid key 403 as Problem Details, unless required is false, in which case requests pass and scopes are attached only when a valid key is present.

 apiKey:
   [ required: true | false ]    # default: true
   extractors:                   # 0..*, default: header X-Api-Key
     - header: <name> | query: <name>
     ...
   stores:                       # 1..*
     - ...

Example Configuration

api:
   port: 2000
   flow:
     - apiKey:
         required: true
         extractors:
           - header: X-Api-Key

api:
   port: 2000
   flow:
     - apiKey:
         required: true
         extractors:
           - header: X-Api-Key

Syntax

apiKey:
  '$ref': <string>
  extractors:
    - <extractors>
  required: <boolean>
  stores:
    - <stores>

apiKey:
  '$ref': <string>
  extractors:
    - <extractors>
  required: <boolean>
  stores:
    - <stores>

Attributes

Name	Required	Default	Description	Examples
$ref	false	-	Reference a component defined under components.	-
required	false	true	Whether a valid key is required. When `false`, keys are still extracted and scopes attached, but requests without a valid key pass through.	false

Child Structure

Element	Cardinality	Description
extractors	0..*	Where keys are read from. The first extractor that finds a key wins. If omitted, a single `header` extractor reading `X-Api-Key` is used.
stores	0..*	Key stores that resolve a key to its scopes and authorize it. Scopes from all configured stores are merged. A key unknown to every store is rejected as invalid.

Can be used in

abort api case chain components for global if interceptor internal otherwise proxy registration request response serviceProxy soapProxy stompProxy time transport wsStompReassembler