API clients, access profiles, and access policies

Clients are logical groups of users, such as members from the same organization, who receive access to one or more API collections through an access profile. A client can have one or more access profiles, which specify the collection, authentication method, access policy, and IP addresses on the allowlist.

An access policy sets restrictions on a usage of an API, through a rate limit and usage quota.

API clients

Navigate to API platform > Clients. Here, API owners can manage and create new API clients.

API platform client tab

Create new client

1

Select New client.

Add new client

2

Fill in the following fields:

• Name

• Enter a descriptive name for the client.

• Description (optional)

• Enter a note for the client.

• Client logo (optional)

• Select a .jpg or .png file to upload a logo.

• Project

• Select a project. Only members with access to this project are able to see the client.

Configure fields for a new client

3

Select Add client.

Next, create an access profile.

Access profile

Every client has one or more access profiles that are associated with API collections. An access profile gives a client access to one or more API recipe collections and/or API proxy collections.

We recommend that API owners create a unique access profile for each API consumer. This allows you as the API owner to delegate access to specific API collections and impose access policies. Furthermore, it allows you to generate usage information about how API consumers are using your API endpoints.

API CONSUMERS

An API consumer can be a person, script, or automated program.

To view a client's access profiles and create new profiles, navigate to API platform > Clients and select a client. The following screenshot contains an example of a client (ACME Company) with one access profile (also called ACME Company).

API client with access profile

Access profile fields

Note the Auth Token field. A unique API key is generated for each client. This token is a long string of characters. It needs to be supplied to the client so that the client can connect to the API. Treat this API key as confidential information; it should be known only to the API owner and the client.

An API key can be revoked, and a new one issued, by clicking on the Refresh button next to the token.

A client can be Active or Inactive. An inactive client cannot call any APIs. Moving the slider right will switch the client's status to Active, after which API calls will be accepted.

Create new access profile

Prerequisites:

1. Configure an API collection
2. (Optional) Create an access policy
3. Create a client

1

Navigate to API platform > Clients and select the new client.

2

Select Create new access profile.

Create new access profile

3

Fill in the following fields:

• Profile name

• Enter a descriptive name for the access profile.

• API collections to include

• Select one or more collections. You can send requests to endpoints in these collections using your access profile.

• Authentication method

• This can be an auth token, OAuth 2.0, JSON web token (JWT), or OpenID Connect.

• Policy (optional)

• Select a policy that will govern access to API collections included in this profile.

• Allowed IPs

• Manage which IP addresses can access this profile. To add multiple IP addresses, separate them using commas, or define a range (106.226.100.3/20). When this field is set, only requests initiated from these addresses are allowed.

Configure new access profile settings

4

Select Next.

5

Select Create access profile.

Confirm creating an access profile

6

Copy the auth token and save it somewhere secure. This is the only time you can view the token. If you lose the token, you must create a new one.

Example auth token

7

Select Done. The new access profile is visible on the client's page.