Traefik Hub Feature
This middleware is available exclusively in Traefik Hub. Learn more about Traefik Hub's advanced features.
The API Key authentication middleware allows you to secure an API by requiring a secret key, base64 encoded or not, to be given, via an HTTP header, a cookie or a query parameter.
Configuration Example¶
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-apikey
namespace: apps
spec:
plugin:
apiKey:
keySource:
headerAuthScheme: Bearer
header: Authorization
secretNonBase64Encoded: true
secretValues:
- "urn:k8s:secret:apikey:secret"
- "urn:k8s:secret:apikey:othersecret"
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: apikey
namespace: whoami
stringData:
secret: $2y$05$D4SPFxzfWKcx1OXfVhRbvOTH/QB0Lm6AXTk8.NOmU4rPLX2t6UUuW # htpasswd -nbB "" foo | cut -c 2-
othersecret: $2y$05$HbLL.g5dUqJippH0RuAGL.RaM9wNS2cT7hp6.vbv5okdCmVBSDzzK # htpasswd -nbB "" bar | cut -c 2-
Configuration Options¶
Field | Description | Default | Required |
---|---|---|---|
keySource.header |
Defines the header name containing the secret sent by the client. Either keySource.header or keySource.query or keySource.cookie must be set. |
"" | No |
keySource.headerAuthScheme |
Defines the scheme when using Authorization as header name. Check out the Authorization header documentation. |
"" | No |
keySource.query |
Defines the query parameter name containing the secret sent by the client. Either keySource.header or keySource.query or keySource.cookie must be set. |
"" | No |
keySource.cookie |
Defines the cookie name containing the secret sent by the client. Either keySource.header or keySource.query or keySource.cookie must be set. |
"" | No |
secretNonBase64Encoded |
Defines whether the secret sent by the client is base64 encoded. | false | No |
secretValues |
Contain the hash of the API keys. Supported hashing algorithms are Bcrypt, SHA1 and MD5. The hash should be generated using htpasswd .Can reference a Kubernetes Secret using the URN format: urn:k8s:secret:[name]:[valueKey] |
[] | Yes |
Using Traefik OSS in Production?
If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.