Authentication
Learn about API authentication and security
Authentication Guide
APIMW uses a two-step authentication process for security: API credentials for token generation, and JWT tokens for API access.
Authentication Flow
┌─────────────┐ API Key/Secret ┌─────────────┐
│ Your App │ ──────────────────► │ APIMW │
└─────────────┘ │ /auth │
│ └─────────────┘
│ │
│ Access Token │
│ ◄──────────────────────────────────┘
│
│ Bearer Token
▼
┌─────────────┐
│ APIMW API │
└─────────────┘API Credentials
Creating API Keys
- Log in to the Console at console.apimw.com
- Go to API Keys section
- Click Create New API Key
- Give your key a descriptive name
- Copy and securely store both the Key and Secret
Best Practices
- Never expose secrets in client-side code
- Use environment variables for credentials
- Rotate keys periodically
- Use separate keys for development and production
Access Tokens
Access tokens are JWT (JSON Web Tokens) that authenticate your API requests.
Token Properties
| Property | Description |
|---|---|
access_token |
The JWT token string |
token_type |
Always "Bearer" |
expires_in |
Token lifetime in seconds (default: 3600) |
refresh_token |
Token to get a new access token |
Using Access Tokens
Include the token in the Authorization header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...Token Expiration
- Access tokens expire after 1 hour
- Use the refresh token to get a new access token
- If both expire, re-authenticate with API credentials
Security Recommendations
- Use HTTPS - All API requests must use HTTPS
- Secure Storage - Store credentials in environment variables
- Token Refresh - Implement automatic token refresh
- IP Whitelisting - Restrict API access by IP (Enterprise plan)
- Audit Logs - Monitor API usage in the Console