API Subscriptions

Manage API access and authentication with subscriptions

API Subscriptions dictate who gets to access your APIs and how they prove their identity. Think of them as the bouncer at the door of your proxy.

Configuration

At a minimum, a subscription needs to know which APIs it grants access to.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: mobile-app-subscription
  description: Subscription for mobile application
spec:
  apis:
    - users-api
    - orders-api
  isActive: true
  parameters:
    key: "your-api-key"

Properties

Property	Type	Required	Description
apis	`string[]`	Yes	List of API names this subscription grants access to
isActive	`bool`	No	Whether the subscription is active (default: true)
parameters	`object`	No	Authentication and configuration parameters
additionalHeaders	`object`	No	HTTP headers to include in requests
variables	`object`	No	Variables specific to this subscription

Authentication Examples

The authentication method relies on the category field in the metadata. Here are a few common ways to configure it:

API Key

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: my-apikey
  category: apikey
spec:
  apis:
    - petstore
  isActive: true
  parameters:
    key: "NGWdkceFPYyXmaH15jS3K0uCsk7KnnPA"

Basic Authentication

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: dev-basicauth
  category: basic
spec:
  apis:
    - petstore
  isActive: true
  parameters:
    username: "hello"
    password: "test123"

OpenID Connect

If you’re backing your APIs with Entra ID, Keycloak, or Auth0, you’ll want to use OIDC to validate tokens.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: oidc-aad
  category: oidc
spec:
  apis:
    - petstore
  isActive: true
  parameters:
    issuer: "https://sts.windows.net/37e55da6-fb62-456a-8d8e-f6f5b649092f/"
    audience: "api://f2f62be5-bc3a-4786-b42c-209a4e0f22bb"
  additionalHeaders:
    custom-source: 'entra'
    anotherdata: 'More header data for this subscription'

Anonymous

Sometimes you actually want an open door, but the proxy still requires you to explicitly declare it.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: anonymous-apis
  category: anonymous
spec:
  apis:
    - webhook
  isActive: true

Additional Headers

If you define additionalHeaders, the proxy injects them into every request that passes through this specific subscription. I find this useful for tagging requests with tenant IDs or tracking sources without requiring the client to send them.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: partner-subscription
spec:
  apis:
    - partner-api
  isActive: true
  additionalHeaders:
    X-Partner-Id: partner-123
    X-Request-Source: partner-portal

Variables

Avoid hardcoding secrets like API keys in your YAML files. Use variables to pull them from the environment or a secure store instead.

apiVersion: weik.io/v1alpha1
kind: ApiSubscription
metadata:
  name: partner-subscription
spec:
  apis:
    - partner-api
  isActive: true
  parameters:
    apiKey: "{{apiKey}}"
  variables:
    apiKey: "{{sys:PARTNER_API_KEY}}"

See Using Variables for a deeper dive into variable resolution.

What’s Next

API Management Overview - Read the high-level architecture
Data APIs - Automatically generate REST APIs from databases
ApiSubscription Configuration Reference