← How-to Guides

Enable key authentication on a service with Kong Gateway

Uses: Kong Gateway decK
TL;DR

Enable the Key Authentication plugin on the service. This plugin will require all requests made to this service to have a valid API key.

Prerequisites

Kong Gateway running

This tutorial requires Kong Gateway. If you don’t have it set up yet, you can use the quickstart script to get an instance of Kong Gateway running almost instantly:

curl -Ls https://get.konghq.com/quickstart | bash -s

Once Kong Gateway is ready, you will see the following message:

Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to:

  1. Install decK

  2. Create a deck_files directory and a kong.yaml file in the directory:

     mkdir deck_files  && touch deck_files/kong.yaml

Pre-configured entities

For this tutorial, you’ll need Kong Gateway entities, like services and routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Create a prereqs.yaml file within your deck_files directory, and add the following content to it:

    _format_version: '3.0'
services:
  - name: example-service
    url: http://httpbin.org/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service

  2. Sync your changes.

    deck gateway sync deck_files

    Make sure to substitute your Konnect Personal Access Token for konnect_token and the control plane name for KONNECT_CP_NAME in the command:

    deck gateway sync deck_files \
  --konnect-token $KONNECT_TOKEN \
  --konnect-control-plane-name $KONNECT_CP_NAME

To learn more about entities, you can read our entities documentation.

1. Enable the Key Authentication plugin on the service:

 
_format_version: '3.0'
plugins:
  - name: key-auth
    service: example-service
    config:
      key_names:
      - apikey

2. Create a consumer

 
consumers:
  - username: alex
    keyauth_credentials:
    - key: hello_world

3. Validate

After configuring the Key Authentication plugin, you can verify that it was configured correctly and is working, by sending requests with and without the API key you created for your consumer.

This request should be successful:

curl --request GET \
 --url http://localhost:8000/example-route/anything \
 --header 'apikey: hello_world'

This request should return a 401 Unauthorized error:

curl --request GET \
 --url http://localhost:8000/example-route/anything \
 --header 'apikey: another_key'

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

Did this doc help?

Yes No
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support