Is there a way to setup the Verify API Key policy to have it look for either a query parameter OR a form parameter? We would like the calling part to be able to provide it in either place.
Solved! Go to Solution.
I guess we can use the ref attribute and reference variable value coming in query or form param,
<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="Verify-API-Key-1"> <DisplayName>Custom label used in UI</DisplayName> <APIKey ref="variable_containing_api_key"/> </VerifyAPIKey>
Before this policy maybe use a JS to get key from either query/form param and set it to a variable. You can also use a couple of extract variable policies with appropiate conditions to set a variable.
It's a good practice to pass the API key in a header or form parameter rather than in a query parameter. The reason is that query parameters can show up in browser histories and network logs, which could present a possible security risk.