mirrors/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2025-08-06 14:47:09 +02:00
Code Issues Projects Releases Wiki Activity
c20802b07e
traefik/docs/content/reference/routing-configuration/http/middlewares/apikey.md

3.1 KiB
Raw Blame History

title description
API Key Authentication Traefik Hub API Gateway - The API Key authentication middleware allows you to secure an API by requiring a secret key, base64 encoded or not, to be given, via an HTTP header, a cookie or a query parameter.

!!! info "Traefik Hub Feature" This middleware is available exclusively in Traefik Hub. Learn more about Traefik Hub's advanced features.

The API Key authentication middleware allows you to secure an API by requiring a secret key, base64 encoded or not, to be given, via an HTTP header, a cookie or a query parameter.

Configuration Example

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-apikey
  namespace: apps
spec:
  plugin:
    apiKey:
      keySource:
        headerAuthScheme: Bearer
        header: Authorization
      secretNonBase64Encoded: true
      secretValues:
        - "urn:k8s:secret:apikey:secret"
        - "urn:k8s:secret:apikey:othersecret" 

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: apikey
  namespace: whoami
stringData:
  secret: $2y$05$D4SPFxzfWKcx1OXfVhRbvOTH/QB0Lm6AXTk8.NOmU4rPLX2t6UUuW # htpasswd -nbB "" foo | cut -c 2-
  othersecret: $2y$05$HbLL.g5dUqJippH0RuAGL.RaM9wNS2cT7hp6.vbv5okdCmVBSDzzK # htpasswd -nbB "" bar | cut -c 2-

Configuration Options

Field Description Default Required
keySource.header Defines the header name containing the secret sent by the client.
Either keySource.header or keySource.query or keySource.cookie must be set.		 "" No
keySource.headerAuthScheme Defines the scheme when using Authorization as header name.
Check out the Authorization header documentation.		 "" No
keySource.query Defines the query parameter name containing the secret sent by the client.
Either keySource.header or keySource.query or keySource.cookie must be set.		 "" No
keySource.cookie Defines the cookie name containing the secret sent by the client.
Either keySource.header or keySource.query or keySource.cookie must be set.		 "" No
secretNonBase64Encoded Defines whether the secret sent by the client is base64 encoded. false No
secretValues Contain the hash of the API keys.
Supported hashing algorithms are Bcrypt, SHA1 and MD5.
The hash should be generated using htpasswd.
Can reference a Kubernetes Secret using the URN format: urn:k8s:secret:[name]:[valueKey]		 [] Yes

{!traefik-for-business-applications.md!}