Require users to authenticate when sending requests to your API products. This way, you let your users securely access your API products after you set up the frontend application for the developer portal.

Gloo Portal supports the following types of external auth:

  • API key: API keys are a simple way to protect access to your API products. You can scope API keys to certain usage plans and APIs. However, API keys make no guarantees about the user’s identity, do not support a single sign-on (SSO) authentication strategy, and can more easily be shared and leaked.
  • OIDC with OAuth 2.0 protocol: For more robust authentication, you can apply an OAuth policy to enforce authentication through an OpenID Connect (OIDC) provider. This way, you can be more sure of the identity of the user who accesses an API product. For more security, you can enforce OAuth with an authorization code (as opposed to just access token validation). OIDC can also support SSO for a more seamless user experience. After authenticating, your users can still use the portal server frontend to generate API keys. This way, you have two layers of security, both the OIDC login and the API key.