API clients and access profiles

Clients are logical groups of users, such as members from the same organization, who receive access to one or more API collections through an access profile. A client can have one or more access profiles, which specify the collection, authentication method, access policy, and IP addresses on the allowlist.

API clients

Go to Platform > API platform > Clients in the Orchestrate platform. API owners can manage and create new API clients here.

API platform client tab

Create new client

1

Select New client.

Add new client

2

Fill in the following fields:

• Name

• Enter a descriptive name for the client.

• Description (optional)

• Enter a note for the client.

• Client logo (optional)

• Select a .jpg or .png file to upload a logo.

• Project

• Select a project. Only members with access to this project are able to see the client.

Configure fields for a new client

3

Select Add client.

Next, create an access profile.

Access profiles

Every client has one or more access profiles that are associated with API collections. An access profile gives a client access to one or more API recipe collections and/or API proxy collections.

We recommend that API owners create a unique access profile for each API consumer. This allows you as the API owner to delegate access to specific API collections and impose access policies. Furthermore, it allows you to generate usage information about how API consumers are using your API endpoints.

API CONSUMERS

An API consumer can be a person, script, or automated program.

To view a client's access profiles and create new profiles, navigate to API platform > Clients and select a client. The following screenshot contains an example of a client (ACME Company) with one access profile (also called ACME Company).

API client with access profile

Access profile fields

A unique API key is generated for each client in the Auth Token field. This token is a long string of characters. It must be supplied to the client so that the client can connect to the API. Treat this API key as confidential information; it should be known only to the API owner and the client.

An API key can be revoked, and a new one issued, by clicking the Refresh button next to the token.

A client can be Active or Inactive. An inactive client cannot call any APIs. Click the toggle to set the client's status to Active and enable the client to call APIs.

Create new access profile

Prerequisites:

1. Configure an API collection
2. (Optional) Create an access policy
3. Create a client

1

Go to Platform > API platform > Clients in the Orchestrate platform and select the new client.

2

Select Create new access profile.

Create new access profile

3

Fill in the following fields:

• Profile name

• Enter a descriptive name for the access profile.

• API collections to include

• Select one or more collections. You can send requests to endpoints in these collections using your access profile.

• Authentication method

• This can be an Auth token, an OAuth 2.0 access token, a JSON web token (JWT), or OpenID Connect.

• Policy (optional)

• Select a policy that will govern access to API collections included in this profile.

• Allowed IPs

• Specify which IP addresses can access this profile. To add multiple IP addresses, separate them using commas or define a range (106.226.100.3/20). When this field is set, only requests initiated from these addresses are allowed.

• Blocked IPs

• Specify which IP addresses cannot access this profile. Blocked IPs take precedence over allowed IPs. For example, if an IP appears in both the Allowed IPs and Blocked IPs lists, requests from that IP are blocked.

Configure new access profile settings

4

Select Next.

5

Select Create access profile.

Confirm creating an access profile

6

Copy the auth token and save it in a secure place. This is the only time you can view the token. If you lose the token, you must create a new one.

Example auth token

7

Select Done. The new access profile is visible on the client's page.