# API Key Authentication

We will start by providing the required configuration for this strategy. You should change all of these values as per your requirement.

{
  "authentication": {
    ...otherConfig,
    "authStrategies": [ ...otherStrategies, "apiKey" ],
    "apiKey": {
      "allowedKeys": [ "API_KEY_1", "API_KEY_2" ]
      "header": "x-access-token",
      "urlParam": "token"
    }
  }
}

Next we will be creating a custom strategy that returns the params that you would like to use to identify an authenticated user/request.

    Next, we create a hook called allow-apiKey that sets params.authentication if it does not exist and if params.provider exists (which means it is an external call) to use that apiKey strategy. We will also provide the capability for the apiKey to either be in a header or in a url param:

      This hook should be added before the authenticate hook wherever API Key authentication should be allowed:

      all: [ allowApiKey(), authenticate('jwt', 'apiKey') ],
      

      If a user now accesses the service externally with the correct apiKey, the service call will succeed and have params.apiKey set to true.