Securing Microservices in Bluemix using an API Key (Part 4)

An API Key consists of a client ID and secret. They must be passed with every request to the API Management gateway (either via headers or parameters) otherwise the request will not be authorized.

You can think of API Keys as being similar to Basic Auth, except that the APIM gateway provides and verifies the credentials.

It starts with adding API Key security to your API. You can require that the ID and secret be passed by custom header or query string parameter.


In this scenario APIM will require API Key authentication, but the API provider knows nothing of the API Key and instead requires basic authentication using a functional ID.


With the API definition complete, we now need to use the API Management Developer Portal to create a client ID and secret and associate it with our client application.<organization>-<space>/<environment>

First we start with defining our client application, the caller of our API.  Next we select the API we wish to use. The API description tells us that it requires a client ID in order to access it.



Choose a plan and from there you will be prompted to associate the API+Plan with the Application you defined earlier.

The Application details showing the associated API and Plan

With the Application, API and Plan all associated now we retrieve the Client ID and Secret from the Developer Portal.


Take note and use the ID and secret to invoke your API via the API Management gateway.

curl -v -H 'Accept: application/json' /
-H 'X-IBM-Client-Id: <id>' /
-H'X-IBM-Client-Secret: <secret>'<organization>-<space>/<environment>/<api-basepath>/<api-operation>




  1. I’ve read a few of your examples thus far, and they seem to focus on securing the microservices themselves using only Basic Auth, which isn’t really secure. The richer auth scenarios seem to focus on APIM, while the sever vices continue to use basic. I’ll continue to search, but I’m curious if you’ve covered a more secure means of service auth on BlueMix or if you know someone who has?


    • Ideally your services wouldn’t explicitly involve any need for authentication, since it would be completely delegated to an API gateway such as APIM or Akana’s API Gateway products. Securing these services would involve mutual SSL authentication between the two parties ensuring that all access to the microservices is managed by the API gateway. Unfortunately this was not possible in Bluemix, so I resorted to Basic Auth since this was the easiest thing to do. Anything more sophisticated seems to defeat the purpose of adopting an API gateway in the first place (why do I need to implement authentication and authorization into my services in order to adopt a product that is supposed to provide the same thing?)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s