Skip to content

User guide: Authentication with API keys

Issue API keys stored in Kubernetes Secrets for clients to authenticate with your protected hosts.

Authorino features in this guide:
  • Identity verification & authentication → API key
In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`. API key `Secret`s must also include labels that match the `secretLabelSelector` field of the Authorino instance. See [Resource reconciliation and status update](../ for details. For further details about Authorino features in general, check the [docs](./../


  • Kubernetes server

Create a containerized Kubernetes server locally using Kind:

kind create cluster --name authorino-tutorial

1. Install the Authorino Operator

curl -sL | bash -s

2. Deploy the Talker API

The Talker API is just an echo API, included in the Authorino examples. We will use it in this guide as the service to be protected with Authorino.

kubectl apply -f

3. Deploy Authorino

kubectl apply -f -<<EOF
kind: Authorino
  name: authorino
      enabled: false
      enabled: false

The command above will deploy Authorino as a separate service (as opposed to a sidecar of the protected API and other architectures), in namespaced reconciliation mode, and with TLS termination disabled. For other variants and deployment options, check out the Getting Started section of the docs, the Architecture page, and the spec for the Authorino CRD in the Authorino Operator repo.

4. Setup Envoy

The following bundle from the Authorino examples (manifest referred in the command below) is to apply Envoy configuration and deploy Envoy proxy, that wire up the Talker API behind the reverse-proxy and external authorization with the Authorino instance.

For details and instructions to setup Envoy manually, see Protect a service > Setup Envoy in the Getting Started page. For a simpler and straightforward way to manage an API, without having to manually install or configure Envoy and Authorino, check out Kuadrant.

kubectl apply -f

The bundle also creates an Ingress with host name, but if you are using a local Kubernetes cluster created with Kind, you need to forward requests on port 8000 to inside the cluster in order to actually reach the Envoy service:

kubectl port-forward deployment/envoy 8000:8000 &

5. Create the AuthConfig

kubectl apply -f -<<EOF
kind: AuthConfig
  name: talker-api-protection
            group: friends
          prefix: APIKEY

6. Create an API key

kubectl apply -f -<<EOF
apiVersion: v1
kind: Secret
  name: api-key-1
  labels: authorino
    group: friends
  api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
type: Opaque

7. Consume the API

With a valid API key:

curl -H 'Authorization: APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx'
# HTTP/1.1 200 OK

With missing or invalid API key:

curl -H 'Authorization: APIKEY invalid' -i
# HTTP/1.1 401 Unauthorized
# www-authenticate: APIKEY realm="friends"
# x-ext-auth-reason: the API Key provided is invalid

8. Delete an API key (revoke access to the API)

kubectl delete secret/api-key-1


If you have started a Kubernetes cluster locally with Kind to try this user guide, delete it by running:

kind delete cluster --name authorino-tutorial

Otherwise, delete the resources created in each step:

kubectl delete authconfig/talker-api-protection
kubectl delete authorino/authorino
kubectl delete -f
kubectl delete -f

To uninstall the Authorino Operator and manifests (CRDs, RBAC, etc), run:

kubectl delete -f