Choosing an Authentication Method

API Gateway supports multiple authentication methods that are suited to different applications and use cases. API Gateway uses the authentication method that you specify in your service configuration to validate incoming requests before passing them to your API backend. This page provides an overview for each supported authentication method in API Gateway.

API keys

An API key is a simple string that identifies a Google Cloud project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the Google Cloud console and embeds that key in every call to your API as a query parameter or in a request header.

Use case

To use API Gateway features such as quotas, you can pass in an API key so that API Gateway can identify the Google Cloud project that the client application is associated with. For more information, see Using API Keys.

Service accounts

To identify a service that sends requests to your API, you use a service account. The calling service uses the service account's private key to sign a secure JSON Web Token (JWT) and sends the signed JWT in the request to your API.

Use case

JWTs and service accounts are well suited for microservices. For more information, see Authentication between services.