moonming/a6-plugin-key-auth
skills/a6-plugin-key-auth/SKILL.md
Skill for configuring the Apache APISIX key-auth plugin via the a6 CLI. Covers API key authentication setup on routes, consumer credential binding, key lookup from header/query/cookie, hide_credentials, anonymous consumer fallback, and common operational patterns.
tools
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add moonming/a6 a6-plugin-key-authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 12:33 PM5.5s1 file scanned
SKILL.md
- name:
- a6-plugin-key-auth
- description:
- >-
- version:
- 1.0.0
- author:
- Apache APISIX Contributors
- license:
- Apache-2.0
- category:
- plugin
- apisix_version:
- >=3.0.0
- plugin_name:
- key-auth
a6-plugin-key-auth
Overview
The key-auth plugin authenticates requests using API keys. Clients include a
key in a header, query parameter, or cookie. APISIX looks up the key against
consumer credentials and, on match, forwards the request with consumer identity
headers. On failure it returns 401 Unauthorized.
When to Use
- Protect routes with simple API-key authentication
- Identify which consumer is calling an API
- Combine with rate-limiting for tiered access (authenticated vs anonymous)
- Hide credentials from upstream services
Plugin Configuration Reference (Route/Service)
| Field | Type | Required | Default | Description |
|-------|------|----------|---------|-------------|
| header | string | No | "apikey" | Header name to extract API key from |
| query | string | No | "apikey" | Query parameter name (lower priority than header) |
| hide_credentials | boolean | No | false | Remove key from request before forwarding upstream |
| anonymous_consumer | string | No | — | Consumer username for unauthenticated requests |
| realm | string | No | "key" | Realm in WWW-Authenticate response header on 401 |
Consumer Credential Reference
| Field | Type | Required | Description |
|-------|------|----------|-------------|
| key | string | Yes | Unique API key for the consumer. Auto-encrypted in etcd. |
Key Lookup Priority
- Header (default:
apikey) — checked first - Query parameter (default:
apikey) — checked if header absent - If both absent →
401 Unauthorizedwith"Missing API key in request"
Step-by-Step: Enable key-auth on a Route
1. Create a consumer
a6 consumer create -f - <<'EOF'
{
"username": "alice"
}
EOF
2. Add key-auth credential to the consumer
Use the Admin API (credentials are sub-resources of consumers):
curl "$(a6 context current -o json | jq -r .server)/apisix/admin/consumers/alice/credentials" \
-X PUT \
-H "X-API-KEY: $(a6 context current -o json | jq -r .api_key)" \
-d '{
"id": "cred-alice-key-auth",
"plugins": {
"key-auth": {
"key": "alice-secret-key-001"
}
}
}'
3. Create a route with key-auth enabled
a6 route create -f - <<'EOF'
{
"id": "protected-api",
"uri": "/api/*",
"plugins": {
"key-auth": {}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"backend:8080": 1
}
}
}
EOF
4. Verify authentication
# Should succeed (200)
curl -i http://127.0.0.1:9080/api/users -H "apikey: alice-secret-key-001"
# Should fail (401)
curl -i http://127.0.0.1:9080/api/users
Common Patterns
Custom header name
{
"plugins": {
"key-auth": {
"header": "X-API-Token"
}
}
}
Client sends: curl -H "X-API-Token: alice-secret-key-001" ...
Query parameter authentication
{
"plugins": {
"key-auth": {
"query": "token"
}
}
}
Client sends: curl "http://127.0.0.1:9080/api/users?token=alice-secret-key-001"
Hide credentials from upstream
{
"plugins": {
"key-auth": {
"hide_credentials": true
}
}
}
The apikey header or query param is stripped before reaching the backend.
Always enable this in production.
Anonymous consumer with rate limiting
# Create anonymous consumer with strict limits
a6 consumer create -f - <<'EOF'
{
"username": "anonymous",
"plugins": {
"limit-count": {
"count": 10,
"time_window": 60,
"rejected_code": 429
}
}
}
EOF
{
"plugins": {
"key-auth": {
"anonymous_consumer": "anonymous"
}
}
}
Requests with valid keys → authenticated consumer. Requests without keys → anonymous consumer with rate limits.
Headers Added to Upstream
On successful authentication, APISIX adds:
| Header | Value |
|--------|-------|
| X-Consumer-Username | Consumer's username |
| X-Credential-Identifier | Credential ID |
| X-Consumer-Custom-Id | Consumer's labels.custom_id (if set) |
Troubleshooting
| Symptom | Cause | Fix |
|---------|-------|-----|
| 401 "Missing API key in request" | No key in header or query | Add apikey header or query param |
| 401 "Invalid API key in request" | Key does not match any consumer | Verify the key value in consumer credentials |
| Key visible in upstream logs | hide_credentials is false | Set hide_credentials: true |
| Anonymous users not working | anonymous_consumer not set or consumer missing | Create the consumer and set the field |
Config Sync Example
version: "1"
consumers:
- username: alice
routes:
- id: protected-api
uri: /api/*
plugins:
key-auth: {}
upstream_id: my-upstream
upstreams:
- id: my-upstream
type: roundrobin
nodes:
"backend:8080": 1
Note: Consumer credentials must be created separately via the Admin API;
a6 config syncmanages the consumer resource but credentials are sub-resources.
Related Skills
moonming/a6-shared
tools
VerifiedTrustedCommunity
Core skill for working with the a6 CLI — the Apache APISIX command-line tool. Provides project conventions, command patterns, architecture overview, and development workflow. Load this skill when working on a6 source code, adding new commands, writing tests, or modifying any a6 component.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-multi-tenant
tools
VerifiedTrustedCommunity
Recipe skill for implementing multi-tenant API gateway patterns using the a6 CLI. Covers tenant isolation via Consumer Groups, host/path/header-based routing, per-tenant rate limiting, context forwarding with proxy-rewrite, and declarative config sync workflows for multi-tenant management.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-mtls
tools
VerifiedTrustedCommunity
Recipe skill for configuring mutual TLS (mTLS) using the a6 CLI. Covers SSL certificate management, upstream mTLS to backend services, client certificate verification, and end-to-end mTLS setup from client through APISIX to upstream.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-health-check
tools
VerifiedTrustedCommunity
Recipe skill for configuring upstream health checks using the a6 CLI. Covers active health checks (HTTP probing), passive health checks (response analysis), combining both, configuring healthy/unhealthy thresholds, and monitoring upstream node status.
SKILL.mdUpdated Apr 21, 2026