APIM (API Management) - APIKey Policy

What is an API-M?

In SAP CPI (Cloud Platform Integration), APIM stands for API Management, which is a capability within the SAP Integration Suite. It is designed to help organizations create, publish, and manage APIs that connect applications and systems both within and outside the enterprise. APIM provides a centralized platform to secure APIs with policies (such as authentication, rate limiting, IP whitelisting), monitor API usage, control access, and expose APIs through developer portals for external consumption..

Key components: 

API Provider: Represents backend systems or services such as iFlow end point alias (which will do basic transformation or get the data from back end systems like DB, ECC, S4 Hana, Salesforce or any) or any other system that expose APIs.

API Proxy: The actual API interface for consumers/third pary systems, which are created to apply policies, transformations, and security before exposing the backend API URL.

API Product: A collection or bundle of one or more API proxies made available together to developers.

Security and Monitoring: Features like OAuth2, API keys, rate limiting, IP whitelisting, and built-in protections against attacks to secure APIs, plus analytics and monitoring to track API performance and usage.

Case Study:

1. Create a iflow, which will call back-end system to fetch the data either by using any connector or HTTP call.

Sample third party URL: (dummy)

https://dummy.restapiexample.com/api/v1/employees

(response is subject to URL availability)

Method : GET

Now, deploy it and test it.

2. Create API Provider 

Go to Configure > API and then go to API Provider click on "Create"

Specify the details as shown below, save it and test the connection

(API  - Service Key details..)

3. Create API Proxy

    Click on Create 

Select API from drop down list and click on "Discover"

Select the required one and click on Next

Select OAuth and specify PRT Service Keys - Client ID/ Client-Secret, Token URL ..

Proxy URL will be created as shown below..

Now test the end-point from Postman...

It means, anyone can access. But we need to protect it by using Application Key or APIKey...

For that, we need to create a Product..

4. Go to Engage and click Create..

Enter Name and Tile and Quota and its interval as required..

Go to APIs..select the API and then click on OK.

Then Save it and Publish it to Developer HUB

After successful Publish... you can see it in HUB

Click on the product, then create New Subscription for Application..

Specify the name and save it to get APIKey

This key is Unique to identify end consumer of the API.

In order to accept the request based on APIKey, we need to apply "Verify API Key" policy ..

Go to API Proxy, select the API and click on policies..

Accepting the API Key thru header

 <!--Specify in the APIKey element where to look for the variable containing the api key--> 

<VerifyAPIKey async='true' continueOnError='false' enabled='true' 

xmlns='http://www.sap.com/apimgmt'>

    <APIKey ref='request.header.APIKey '/>

</VerifyAPIKey>

Accepting the API Key thru queryparam

 <!--Specify in the APIKey element where to look for the variable containing the api key--> 

<VerifyAPIKey async='true' continueOnError='false' enabled='true' 

xmlns='http://www.sap.com/apimgmt'>

     <APIKey ref='request.queryparam.APIKey '/>

</VerifyAPIKey>

Save it and deploy the API Proxy.

Now test the API from Postman either APIKey as header or queryparam...

APIKey as queryparam

APIKey as header

That's all.

If you want to see list of subscriptions for the Product..

Go to HUB, select the product..

You can test from API portal also...and we can debug to identify the issue w.r.to policies / conversions and it's useful for complex flows.

Source: SAP Community.

Thanks for reading :-)