In this blogpost I will be explaining how to change the location of the apikey from the default query parameters (insecure) section to the more secure HTTP(S) headers in the product Apigee Edge by Google.

HTTPS (HTTP over SSL) sends all HTTP content over a SSL tunnel, so HTTP content and headers are encrypted as well

This simple configuration must be changed immediately to avoid sending the apikey in plain text, which is a very bad idea! Also please remind that the full URI’s will typically also appear in all (request) log files.

API keys go by many names. You may see them referred to as ‘User key’, ‘API keys’, ‘app keys’, and ‘consumer keys’. All of these names are synonymous.

Apigee Edge (API Management Platform)
First of all we navigate to the “APIs > API Proxies” section on the Apigee Edge administration portal ( We choose the API Proxy that we want to alter and select the tab “Develop”. Select the policy “VerifyAPIKey”.

Find the following line in the XML-document:

 <APIKey ref="request.queryparam.apikey"/>

and simply change it to:

 <APIKey ref="request.header.apikey"/>




Click on the save button, redeploy the API Proxy and we are done!

Houd jij je kennis graag up to date?

Mis niets meer van onze kennisdocumenten, events, blogs en cases: ontvang als eerste het laatste nieuws in je inbox!

Fijn dat we je op de hoogte mogen houden!