Using the API Consumer Application Security Policy

Learn how to configure authentication methods used to identify an application that is attempting to consume an API.

Managing Policies

For information about using policies in the context of the developer portal, see Business Policies.

Table of Contents

  1. Introduction
  2. Configuration


The "API Consumer Application Security Policy" is used to identify (authenticate) an application that is attempting to consume an API to determine if it is authorized or not. This policy type supports multiple mechanisms for the App to present its identity. See Configuration Options (below) for a list of supported authentication methods.

Note: Use of this policy is reserved for API Administrators of the Community Manager application.

Configuration Options

The policy includes the following configuration options:

No Signature

A checkbox that allows you to perform authentication with no signature. If enabled (checkbox selected), selection of algorithms is disabled. If disabled (checkbox unselected), algorithms are enabled.


If No Signature is disabled, configure one or more authentication algorithms based on your requirements. The authentication method(s) selected are based on the protocols supported by your API.

Note: If your API supports OAut,h the API Consumer Security Policy is not required. Refer to the Using the OAuth Security Policy or Using the OAuth 1.0a Security Policy.

  • SHA1 (Shared Secret)—SHA1 hash function.
  • SHA1 with RSA—RSA encryption algorithms with SHA1 hash function.
  • SHA256 with RSA—RSA encryption algorithms with SHA-256 (32-bit words) hash function.
  • HMAC SHA1—Keyed-hash message authentication code with SHA1 hash function.
  • HMAC SHA256—Keyed-hash message authentication code with SHA-256 (32-bit words) hash function.
  • Authorization Header Scheme—The name of the authorization header scheme.
  • Authorization Header Parameters Prefix—The authorization header parameters prefix.
  • Cookie Name—Name of the API authentication cookie.
  • ClockSkew (in seconds)—Specify the clock skew (in seconds) that will be used to synchronize timestamps across hosts.

Back to top


Let's take a quick walkthrough of the API Consumer Application Security Policy configuration process to get you started.

Step 1: Add Policy

You can create an API Consumer Application Security Policy instance using Add Policy in the Policies > Operational Policies section.

Step 2: Modify Policy

When you Modify the API Consumer Application Security Policy on the Policy Details page the initial policy will look like this. The No Signature checked option provides a simple header security (for example, ApplicationSecurityUnsigned) default policy.

Another common simple header security policy for Community Manager applications provides SHA1-Shared Secret (for example, ApplicationSecuritySigned) support as follows:

You can get started using the default policy configurations (provided here), and then expand your configuration based on your requirements:

Step 3: Assign Policy to API in Community Manager

After you configure the policy, launch Community Manager and assign the policy:

On the API Details page, select Edit, go to the Proxy page, select (for example, ApplicationSecurityUnsigned), and save the configuration.

To verify the policy is attached to the API in Policy Manager, launch the Policy Manager Management Console, go to the Services folder and select the service (API) that is added to the Community Manager portal. The policy will display in the Policy Attachments > Operational section as illustrated below.

Back to top