Solution overview

The following diagram shows how a request is processed by the Airlock Gateway using API keys with Airlock IAM.

The focus of the following is on API key-based access control. All other API protection features - such as filtering or enforcing API specifications - are not shown.

Exemplary API access

(1)	The administrator creates a Tech-Client and issues one or more API keys in the Airlock IAM Adminapp. Note: This step can be done manually in the Adminapp web application or using the REST API.
(2)	The API key is delivered to the Tech-Client (the API client) and attached to each API request.
(3)	The Airlock Gateway applies all filters on the request, extracts the API key, and looks up information about the Tech-Client by calling the API Policy Service end-point in Airlock IAM (this step may be skipped using cached information).
(4)	Based on the Tech-Client attributes, the Airlock Gateway decides whether access to the API is granted and what rate limit applies. The request is passed to the API service.

Chapter content

Terms and definitions

Request processing (sequence diagram)

API access control - how it works in detail