It’s now possible to configure an API to allow keyless access. Here’s how:
axle> update acmeapi allowKeylessUse=true
You can now fire a request to acmeapi and a key
will be created and used for that request. You can use
keylessQpd to set the rate limits applied to
keyless use for that api. E.G:
axle> update acmeapi keylessQps=20 keylessQpd=40000
Now all keyless access to acmeapi will be allowed 20 hits a second and 40,000 hits per day.
You can mix keyless and keyed access.
What happens behind the scenes
true, when a keyless request comes in,
a new key will be created which looks like
You can treat this key as you would any other. The only
difference is that you won’t be able to set rate limit overrides as it
will always use the keylessQpd/Qpm/Qps values set on the API.
Where’s the IP address taken from
x-forwarded-for header is set this will be used, if not then
the IP address that opened the socket to the ApiAxle instance will be
This means that in theory a user could send a false
header and gradually overload ApiAxle’s datastore. Be sure to strip or
x-forwarded-for if this is a concern.