Skip to Content

Protect Your API Proxy by Adding Application Key Verification

Protect your API Proxy with a first simple policy -- the Verify API Key policy.
You will learn

SAP Integration Suite, API Management offers several out of the box policies which help you protect, model and “work” with your APIs. One of the security related Policies is the “Verify API Key” Policy.

mhassett92Meredith HassettJuly 19, 2021
Created by
August 22, 2017


In this tutorial you will learn how to protect your API Proxy with the “Verify API Key” Policy. This policy allows you to add a simple protection via a so called API Key. Only calls which send a valid API Key along with the main request will be allowed to call the API Proxy.


  • When you now open the API Proxy in a browser you will get an error message stating that you need to pass an API Key in the header APIKey.
  • Step 1

    It is important to understanding the API policy flow so you gain an understanding of why a policy is applied at a certain time in the flow. For instance, access policies should be verified before the API call to reduce using resources unnecessarily. The entire request/response cycle is divided up, first into segments, then within each segment, into processing stages.

    Where do you check the fundamentals requirements of an Incoming Request?

  • Step 2

    When creating a policy, you will need to know how the information is available in the policy and policy editor. Understand how the Policy Designer accesses the proxy flow by reading this blog post.

    When looking at the stages of the request flow in the Policy Editor, which policies are shown?

  • Step 3

    Edit a policy and assign it to your proxy flow. This blog will ensure you know how to identify the proper stage to add a policy, as well as how to assign a policy to the flow.

    What is the value for ref in the the APIKey tag for the CheckAPIKey Policy?

  • Step 4

    You will look at assigning multiple policies to various processing stages, and how the outcome of one policy can be used to influence the behavior of another policy.

    Which property do you set when creating a policy to determine if you should check the response or request?

  • Step 5

    Open the SAP API Management API Portal (you can get the URL from Enable the SAP Integration Suite, API Management Service).

    Access the API Portal
  • Step 6

    From the Hamburger Menu in the upper left corner and click on Develop.

    Click on Develop
  • Step 7

    Select the API GWSAMPLE_BASIC created in a previous step in the this tutorial series.

    Select the GWSAMPLE_BASIC Proxy
  • Step 8

    In the upper right corner click on Policies to open the policy information for the API.

    Select policies on API page
  • Step 9

    In the Policy Editor, click on Edit.

    Click on Edit
  • Step 10

    Select the PreFlow from the ProxyEndpoint on the left hand side.

    Select Pre-flow
  • Step 11

    On the right hand, find the Security Policies section under the Policies pane. Find the Verify API Key policy and click the + next to the policy name.

    Add Verify API Key policy
  • Step 12

    Enter the Policy Name CheckAPIKey and click on Add.

    Enter CheckAPIKey
  • Step 13

    In the Code Editor found in the bottom pane, look for the <APIKey ... /> tag. Replace the string variable_containing_api_key with request.header.APIKey.

    Adjust the policy
  • Step 14

    Click on Update to apply the new policies.

    Click on Update

    Click on Save to save the changes to the API and enforce the new policies.

    Click on Save
Back to top