Skip to content

Add ApiKeyMediator block to api_product_template.xml#14094

Open
Tharsanan1 wants to merge 1 commit intowso2:masterfrom
Tharsanan1:fix/4856
Open

Add ApiKeyMediator block to api_product_template.xml#14094
Tharsanan1 wants to merge 1 commit intowso2:masterfrom
Tharsanan1:fix/4856

Conversation

@Tharsanan1
Copy link
Copy Markdown
Contributor

@Tharsanan1 Tharsanan1 commented Apr 3, 2026
edited by coderabbitai bot
Loading

Summary

  • API Products were missing the ApiKeyMediator configuration in their Velocity template (api_product_template.xml)
  • This caused API key endpoint security headers (e.g., x-api-key for AI APIs) to never be forwarded to backend services when accessed through an API Product
  • Added the same apikey handling block that exists in velocity_template.xml (used for regular APIs) to all four copies of api_product_template.xml

Related

Test plan

  • Verified: API Product with AI API (Anthropic) endpoint security correctly forwards x-api-key header to backend
  • Standalone AI API returns "invalid x-api-key" (key sent, expected with dummy key)
  • API Product returns "invalid x-api-key" (key sent — was previously "x-api-key header is required")
  • No Velocity template errors during deployment

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features
    • Added API key authentication type for endpoint security configurations across APIM modules
    • Supports API key values stored directly or in secure vault for enhanced security flexibility

@Tharsanan1 @claude
Add ApiKeyMediator block to api_product_template.xml
dbd765f 
API Products were missing the ApiKeyMediator configuration in their
Velocity template, causing API key endpoint security headers (e.g.,
x-api-key for AI APIs) to never be forwarded to backend services.

This adds the same apikey handling that exists in velocity_template.xml
to all four copies of api_product_template.xml.

Fixes: wso2/api-manager#4856

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 3, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 262ee1ea-dec2-46f4-8d4e-c55701670574

📥 Commits

Reviewing files that changed from the base of the PR and between 07be985 and dbd765f.

📒 Files selected for processing (4)
  • all-in-one-apim/modules/distribution/resources/api_templates/api_product_template.xml
  • api-control-plane/modules/distribution/resources/api_templates/api_product_template.xml
  • gateway/modules/distribution/resources/api_templates/api_product_template.xml
  • traffic-manager/modules/distribution/resources/api_templates/api_product_template.xml

Walkthrough

Four identical APIM module distribution files were updated to add API key authentication support in the draw_endpoint macro. When endpoint security type is "apikey"/"APIKEY", an ApiKeyMediator is inserted to configure apiKeyIdentifier, apiKeyIdentifierType, and apiKeyValue with optional secure vault lookup.

Changes

Cohort / File(s) Summary
API Product Template Updates
all-in-one-apim/modules/distribution/resources/api_templates/api_product_template.xml, api-control-plane/modules/distribution/resources/api_templates/api_product_template.xml, gateway/modules/distribution/resources/api_templates/api_product_template.xml, traffic-manager/modules/distribution/resources/api_templates/api_product_template.xml		 Added ApiKeyMediator configuration in draw_endpoint macro for "apikey" endpoint security type, supporting both secure vault and direct value lookup for apiKeyValue.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Four templates now sing in harmony,
API keys flowing through the gateway spree,
Secure vault whispers, or values take flight,
Authentication blooms—AI APIs shine bright! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding ApiKeyMediator block to api_product_template.xml files across four modules.
Linked Issues check ✅ Passed The PR directly addresses issue #4856 by implementing ApiKeyMediator handling for API key endpoint security in API Product templates, enabling proper forwarding of x-api-key headers to backend services.
Out of Scope Changes check ✅ Passed All changes are in-scope: modifications to api_product_template.xml files across four modules to add ApiKeyMediator support, directly addressing the linked issue requirement.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tharindu1st tharindu1st Awaiting requested review from tharindu1st tharindu1st is a code owner

@AnuGayan AnuGayan Awaiting requested review from AnuGayan AnuGayan is a code owner

@chamilaadhi chamilaadhi Awaiting requested review from chamilaadhi chamilaadhi is a code owner

@Arshardh Arshardh Awaiting requested review from Arshardh Arshardh is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[API Products] UI supports creating API Products using AI APIs but authentication fails

1 participant

@Tharsanan1