Choosing an Authentication Method
API Gateway supports multiple authentication methods that are suited to different applications and use cases. API Gateway uses the authentication method that you specify in your service configuration to validate incoming requests before passing them to your API backend. This page provides an overview for each supported authentication method in API Gateway.
An API key is a simple string that identifies a Google Cloud project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the Cloud console and embeds that key in every call to your API as a query parameter or in a request header.
To use API Gateway features such as quotas, you can pass in an API key so that API Gateway can identify the Google Cloud project that the client application is associated with. For more information, see Using API Keys.
To identify a service that sends requests to your API, you use a service account. The calling service uses the service account's private key to sign a secure JSON Web Token (JWT) and sends the signed JWT in the request to your API.
JWTs and service accounts are well suited for microservices. For more information, see Authentication between services.