Solution overview

The following diagram shows how a request is processed by the Airlock Gateway using API keys with Airlock IAM.

The focus of the following is on API key-based access control. All other API protection features - such as filtering or enforcing API specifications - are not shown.

Exemplary API access


The administrator creates a Tech-Client and issues one or more API keys in the Airlock IAM Adminapp.

Note: This step can be done manually in the Adminapp web application or using the REST API.


The API key is delivered to the Tech-Client (the API client) and attached to each API request.


The Airlock Gateway applies all filters on the request, extracts the API key, and looks up information about the Tech-Client by calling the API Policy Service end-point in Airlock IAM (this step may be skipped using cached information).


Based on the Tech-Client attributes, the Airlock Gateway decides whether access to the API is granted and what rate limit applies. The request is passed to the API service.