0

I am looking to build a service with authentication while also have the ability to restrict API calls. This is on GCP.

I am looking for Google API Gateway for this and understand that JWT based authentication can give me the identity of who is calling - an user email and/or service account email. While using API key can help me rate limit API calls with quotas.

Both API Key and JWT are authentication approaches. However, it seems I wont understand who is the caller with API key approach (unless I maintain a registry on my end) or I wont be able to rate limit if I use the JWT approach.

Is my understanding above correct? Is there a way to rate limit calls to my API with the JWT approach?

Many Thanks for reading and perhaps responding.

Aris O
  • 99
  • 5
Moni
  • 869
  • 3
  • 9
  • 21
  • Yes, simply don't put the API key as security definition, but use it for the rate limit – guillaume blaquiere Mar 17 '23 at 08:34
  • @guillaumeblaquiere If API key is not in the security definition, API gateway wont check for its validity, correct? In that case, are you suggestion by backend service takes on the responsibility to handle API key validation and rate limiting? Thanks for your response. – Moni Mar 17 '23 at 18:16
  • Keep in mind that API Key is not an authentication mode (or at least not a recommended way to authenticate client). On Google Cloud, the API keys are used to know Who will pay, but not to access to confidential information. Think about Google Maps, or Translation API. – guillaume blaquiere Mar 17 '23 at 20:15

2 Answers2

1

Posting this as a community wiki to help other community members that will encounter this kind of issue.

According to @guillaume blaquiere:

Simply don't put the API key as a security definition, but use it for the rate limit. Keep in mind that API Key is not an authentication mode (or at least not a recommended way to authenticate clients). On Google Cloud, the API keys are used to know Who will pay, but not to access confidential information. Think about Google Maps, or Translation API.

For more information about recommended authentication modes, you may visit this documentation.

Marc Anthony B
  • 3,635
  • 2
  • 4
  • 19
0

According to Choosing an Authentication Method:

  • API Key can be used for authentication but not for authorization
  • JWT can be used for both authentication and authorization

Also, according to this (and my own testing), a single gateway cannot use both API Key and JWT for authentication -- you have to choose one.

kym
  • 818
  • 7
  • 12
  • Thanks @kym, this has been my experience as well. I had hoped not to be forced to choose API Key if I needed rate limiting as well. – Moni Apr 04 '23 at 21:37