A key request is a record that is generated when a developer requests an access token for an API published in the API Catalogue. The Key request encompasses the following information:
- The policy of which access is being requested
- The developer doing the requesting
- The catalogue entry in question
- The reasoning of why the developer should have access (these are dynamic fields and can be configured)
When a developer requests access to an API Catalogue entry, this key request represents that request for access. The key request can then be acted on, either by the portal itself, or by an administrator. The key request does not grant a token yet, it simply marks the fact that a token has been requested and why.
Tyk enables you to manage this flow in a few ways:
- Auto-approve the key request.
- Have an admin approve the key-request.
- Hand off to a third-party system to manage the key-request (e.g. for billing or additional user validation). This is done via WebHooks or via the “Redirect Key Request” Portal Setting.
Once a key request is created, one of two things can be done to it:
- It can be approved: Covered below
- It can be declined: In which case the request is deleted.
A key request can be created using the Dashboard API too, in fact, the Key Request mechanism is a great way to create a mapping between an identity (a developer) and a token, and managing that process.
Secure Key Approval
By default, the Key Approval flow is straight forward. Once a Key Request is approved, the Developer will be notified via an email which contains the API Key.
As of Dashboard version
3.1.0, it is now possible to turn on a more secure key approval flow. Once the “Request Key Approval” setting is enabled, we see an additional setting:
With this feature turn on, we prevent the API key from being sent in plain text via email. Instead, the once a key request is approved, the Developer will be sent a confirmation link in an email that directs them to the Portal:
After clicking the
Generate Key link and logging into the Portal, the key becomes available to the user: