HTTP Header Authentication


You can use the HTTP Header filter in cases where the API Gateway receives end-user authentication credentials in an HTTP header. A typical scenario would see the end-user (or message originator) authenticating to an intermediary. The intermediary authenticates the end-user, and to propagate the end-user credentials to the destination Web Service, the intermediary inserts the credentials into an HTTP header and forwards them onwards.

When the API Gateway receives the message, it performs the following tasks:

  • Authenticate the sender of the message (the intermediary)

  • Extract the end-user identity from the token in the HTTP header for use in subsequent Authorization filters

[Important] Important

In the case outlined above, the API Gateway does not attempt to re-authenticate the end-user. It trusts that the intermediary has already authenticated the end-user, and so the API Gateway does not authenticate the user again. However, it is good practice to authenticate the message sender (the intermediary). Any subsequent Authorization filters use the end-user credentials that were passed in the HTTP header.


The following configuration fields are available on this screen:


Enter an appropriate name for this filter in the Name field.

HTTP Header Name:

Enter the name of the HTTP Header that contains the end-user credentials.

HTTP Header Type:

Select the type of credentials that are passed in the named HTTP Header. The following types are supported:

  1. X.509 Distinguished Name

  2. Certificate

  3. Username