API Management Overview

Manage and secure APIs with Weik.io APIM

Weik.io’s API Management uses a YARP-based reverse proxy to handle traffic. You set up your APIs using three distinct resources: Api (the base path), ApiVersion (the routing rules), and ApiSubscription (the access controls).

Configuration Resources

Api

The Api resource defines the base URL prefix. It’s the front door for a specific service.

apiVersion: weik.io/v1alpha1
kind: Api
metadata:
  name: webhook
  description: The Webhook.site TEST API
spec:
  prefix: hook

In this example, the prefix maps to https://your-host/hook/....

ApiVersion

The ApiVersion tells the proxy exactly where to send the traffic. It uses standard YARP routing syntax under the hood.

apiVersion: weik.io/v1alpha1
kind: ApiVersion
metadata:
  name: v1
  description: Webhook.site test using direct forwarding
  category: proxy
spec:
  apiName: webhook
  isActive: true
  connection:
    automaticDecompression: GZip
  parameters:
    routes:
      route:
        clusterId: "cluster"
        match:
          path: "{**catch-all}"
    clusters:
      cluster:
        destinations:
          cluster/destination1:
            Address: "https://webhook.site/99f574f3-a9c3-4723-aae3-ecb98cc4e395"

The parameters section defines the routes and destination clusters, letting you handle everything from direct forwarding to complex load balancing.

ApiSubscription

An ApiSubscription determines who gets through the door. If you don’t define one, the API is inaccessible by default.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: my-apikey
  description: Subscription using X-API-Key header
  category: apikey
spec:
  apis:
    - webhook
  isActive: true
  parameters:
    key: "NGWdkceFPYyXmaH15jS3K0uCsk7KnnPA"

Authentication Methods

We support several authentication methods out of the box, controlled through the ApiSubscription category.

API Key

The simplest approach. Clients pass the key via a header.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: my-apikey
  category: apikey
spec:
  apis:
    - webhook
  isActive: true
  parameters:
    key: "your-api-key"

Basic Authentication

Good old-fashioned username and password over HTTPS.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: dev-basicauth
  category: basic
spec:
  apis:
    - webhook
  isActive: true
  parameters:
    username: "hello"
    password: "test123"

OpenID Connect (OIDC)

For more robust identity verification, you can validate tokens from an OIDC provider like Azure AD or Keycloak.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: oidc-aad
  category: oidc
spec:
  apis:
    - webhook
  isActive: true
  parameters:
    issuer: "https://sts.windows.net/your-tenant-id/"
    audience: "api://your-api-id"

Anonymous

If you want an endpoint completely open to the public, you still need an ApiSubscription to explicitly allow it.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: anonymous-apis
  category: anonymous
spec:
  apis:
    - webhook
  isActive: true

What’s Next

• Configuration - Read more about YARP routing and proxy configuration
• Subscriptions - Dig into subscription management
• Data APIs - Automatically generate REST APIs from databases
• Api Configuration Reference
• ApiVersion Configuration Reference
• ApiSubscription Configuration Reference