Skip to content

APIKey Traefik Hub API Gateway

Traefik Hub Feature

This middleware is available exclusively in Traefik Hub. Learn more about Traefik Hub's advanced features.

The API Key authentication middleware allows you to secure an API by requiring a secret key, base64 encoded or not, to be given, via an HTTP header, a cookie or a query parameter.


Configuration Example

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-apikey
  namespace: apps
spec:
  plugin:
    apiKey:
      keySource:
        headerAuthScheme: Bearer
        header: Authorization
      secretNonBase64Encoded: true
      secretValues:
        - "urn:k8s:secret:apikey:secret"
        - "urn:k8s:secret:apikey:othersecret" 
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: apikey
  namespace: whoami
stringData:
  secret: $2y$05$D4SPFxzfWKcx1OXfVhRbvOTH/QB0Lm6AXTk8.NOmU4rPLX2t6UUuW # htpasswd -nbB "" foo | cut -c 2-
  othersecret: $2y$05$HbLL.g5dUqJippH0RuAGL.RaM9wNS2cT7hp6.vbv5okdCmVBSDzzK # htpasswd -nbB "" bar | cut -c 2-

Configuration Options

Field Description Default Required
keySource.header Defines the header name containing the secret sent by the client.
Either keySource.header or keySource.query or keySource.cookie must be set.
"" No
keySource.headerAuthScheme Defines the scheme when using Authorization as header name.
Check out the Authorization header documentation.
"" No
keySource.query Defines the query parameter name containing the secret sent by the client.
Either keySource.header or keySource.query or keySource.cookie must be set.
"" No
keySource.cookie Defines the cookie name containing the secret sent by the client.
Either keySource.header or keySource.query or keySource.cookie must be set.
"" No
secretNonBase64Encoded Defines whether the secret sent by the client is base64 encoded. false No
secretValues Contain the hash of the API keys.
Supported hashing algorithms are Bcrypt, SHA1 and MD5.
The hash should be generated using htpasswd.
Can reference a Kubernetes Secret using the URN format: urn:k8s:secret:[name]:[valueKey]
[] Yes

Using Traefik OSS in Production?

If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.