In this blogpost I will be explaining how to change the location of the apikey from the default query parameters (insecure) section to the more secure HTTP(S) headers in the product Apigee Edge by Google.

HTTPS (HTTP over SSL) sends all HTTP content over a SSL tunnel, so HTTP content and headers are encrypted as well

This simple configuration must be changed immediately to avoid sending the apikey in plain text, which is a very bad idea! Also please remind that the full URI’s will typically also appear in all (request) log files.

API keys go by many names. You may see them referred to as ‘User key’, ‘API keys’, ‘app keys’, and ‘consumer keys’. All of these names are synonymous.

Apigee Edge (API Management Platform)
First of all we navigate to the “APIs > API Proxies” section on the Apigee Edge administration portal ( We choose the API Proxy that we want to alter and select the tab “Develop”. Select the policy “VerifyAPIKey”.

Find the following line in the XML-document:

 <APIKey ref="request.queryparam.apikey"/>

and simply change it to:

 <APIKey ref="request.header.apikey"/>




Click on the save button, redeploy the API Proxy and we are done!