I am trying to understand and use krakend as an API gateway within our system. One of the use cases I am trying to achieve is the usage of apikeys.
This documentation of krakend (https://www.krakend.io/docs/enterprise/authentication/api-keys/) shows how to configure a couple of api keys within the configuration file. However, in my use case, I may issue API keys to several users (let us say more than 100 and above) and these keys are issued using a web application GUI.
So, it doesn't look feasible to configure krakend, because it means I have to add to this configuration, every time a new api key is issued, or regenerated.
What is the best practice to handle such situation. Should I bypass krakend and let my app manage the keys using a database?
The approach suggested at the end of the referenced document is to create a pool of api keys into a partials file such as api-keys.json, which would get pre-configured into krakend. This is good as it doesn't require restart of krakend.
However, if an api key is revoked / invalidated, I would need to re-create a new list, by removing the revoked key, and also synchronize my database with this new list and also restart krakend.
Is this the only way conceivable? thanx and regards,
The API Key component is an Enterprise-only feature. Looking at the functionality of the component, you can preload thousands of API-keys in the KrakenD configuration and assign them as you go. As you are pointing out, you need to redeploy if you want to expand the pool of keys, or if you want to remove some of them.
If you want to achieve a "hot administration" of the keys there are two options (that you could code with plugins, or as Enterprise customer you could get):