This is the first of hopefully many “howto’s” in setting up and configuring API Management platforms. In this blogpost I will be explaining how to change the location of the user-key from the default query parameters (insecure) section to the more secure HTTP(S) headers in the product combination Red Hat 3scale (API Management Platform) and NGINX (API Gateway).

HTTPS (HTTP over SSL) sends all HTTP content over a SSL tunnel, so HTTP content and headers are encrypted as well

This simple configuration must be changed immediately to avoid sending the user-key in plain text, which is a very bad idea! Also please remind that the full URI’s will typically also appear in all (request) log files.

API keys go by many names. You may see them referred to as ‘User key’, ‘API keys’, ‘app keys’, and ‘consumer keys’. All of these names are synonymous.

3scale (API Management Platform)
First of all we navigate to the “API” section on the 3scale administration portal ( We choose the API that we want to alter and select “Integration” settings. There we scroll down to the section that indicate “Authentication Settings”. There we simply check the radiobutton “As HTTP Headers” (Credential Locations).

Please note that the HTTP header holding the user-key must match the value of “Auth user key”!


Now simply click on “Update & Test Staging Configuration”, verify the result and click on “Update Production Configuration”.

NGINX (API Gateway)
In NGINX we will simply need to adjust the lua code in which the user-key is extracted from the request. For this open the file “nginx.lua” which can be found in main directory of NGINX (f.e. “/etc/nginx”).

Find the following line of code:

local parameters = get_auth_params("no_headers", string.split(ngx.var.request, " ")[1] )

and change it to:

local parameters = get_auth_params("headers", string.split(ngx.var.request, " ")[1] )

The lua function “get_auth_params” extracts and returns the headers from the request header or parameters from the request URI.

And now, last but not least, verify that the name of the parameter used for setting params.user_key exactly matches the name of the specified HTTP header in the 3scale administration portal (“Auth user key”).

params.user_key = parameters["user-key"]

Now stop/start or reload NGINX and the change should be effective. Again, you saved the day hero! Next blogpost I will be explaining how to achieve the above in the product Apigee Edge by Google.

Image result for 3Scale
Image result for NGINX