Request processing (sequence diagram)

The following flow diagram shows how a request sent by a Tech-Client is processed by the Airlock Gateway when applying access control based on API keys.


  • The Tech-Client is in possession of an API key issued by Airlock IAM.
  • The API key is not locked.
  • The API key is valid.
  • The Tech-Client is not locked.
  • The Tech-Client has the corresponding plans (rights) to access the protected service.

Request processing



The Tech-Client sends a request bearing an API key to the Airlock Gateway.


  • The Airlock Gateway applies security filters:
  • allow rules
  • deny rules
  • API specification conformance
  • etc.
  • The request may be authenticated in terms of roles (One-Shot, redirect based, or else). Note that this step is independent of the Tech-Client identification based on the API key.


The API key is extracted from the request according to the configuration.

The API key is looked up in the cache: if the cache contains valid Tech-Client information, steps (4) through (7) are skipped.


The API key is sent to the API Policy Service of Airlock IAM in order to retrieve Tech-Client information.


The API Policy Service looks up the Tech-Client given the API key and checks if the Tech-Client is locked.


The API Policy Service returns Tech-Client attributes: a unique ID and the assigned plans and rate limits.


The Airlock Gateway stores the Tech-Client attributes in the cache to optimize performance for subsequent requests. The cache timeout is configurable.


The Airlock Gateway applies access restrictions based on the Tech-Client information (plans, Rate-Limits). The Tech-Client ID is used for logging and reporting.


The API request is forwarded to the protected service together with the Tech-Client ID.