Endpoint Key and Method Detection

The Endpoint Key & Method Detection page allows you to configure an endpoint's key and method settings. It helps you restrict access to your API methods to have more fine-grained control over your APIs.

Endpoint Type

The selection determines the type of routing (or protocol) on the Traffic Manager: REST, SOAP, JSON-RPC, GRAPHQL, XML-RPC, or OTHER. The Traffic Manager rejects an API call if an endpoint type other than the available ones is specified.

SOAP

For the SOAP endpoint type, a GET request to the WSDL is proxied through the Traffic Manager without requiring an API key.

GraphQL

GraphQL endpoint type supports both the GET and POST methods. The GraphQL API performs schema validation and also supports object-level and field-level restrictions. These restrictions exclude sensitive fields from query results, enhancing data security. Additionally, the API enforces limits such as Max Depth, Max Execution Time, and Introspection Control. If a request violates any of these constraints, the API responds with a 403 Bad Request error.

Import GraphQL Schema

note

The Import Schema option is only applicable for GraphQL endpoint and is not supported for REST, SOAP, JSON-RPC, XML-RPC, or OTHER endpoint types.

The Import Schema option imports and validates the schema configured for the GraphQL endpoint, which Traffic Manager uses for routing requests.

There are two options to import a schema for a GraphQL endpoint:

Import from File: This option allows you to upload a .graphql, .gql, or .graphqls GraphQL schema file from your local file system. The uploaded file is then validated to ensure compatibility with the GraphQL endpoint.

Upon successful file import and validation, metadata (e.g., Enums, Mutations, Objects, Queries, etc.) is extracted from the schema file and displayed.
Import from URL: This option allows you to retrieve a GraphQL schema directly from an endpoint using an introspection query. This request uses the system domain configured on the Domain and Traffic Routing page. After selecting this option, the following fields are displayed:
- System Domain: The base URL of the GraphQL server.
- Path: The API path of the GraphQL endpoint.
- Query: A URL-encoded GraphQL introspection query.
Refer to Configuring API Endpoint Key and Method Detection Settings for more information about how to configure these fields.

GraphQL Configuration

Property	Required	Description	Type	Default
`graphql_depth_limit`	Yes	The maximum depth of nested fields (including those inside fragments) allowed in a single GraphQL query to prevent excessive query complexity.	Integer (no limit)	5
`graphql_max_execution_time`	Yes	The maximum time (in seconds) a query can run before termination.	Integer	2
`graphql_introspection_control`	Yes	This property controls querying the schema structure to enhance security.	Boolean	True
`graphql_object_restriction`	Yes	This property controls access to sensitive data in GraphQL APIs.	Boolean	True
`graphql_schema_file_name`	Yes	This property stores the imported file name.	-	-
`graphql_schema_url`	Yes	This property stores the GraphQL introspection URL.	String	Blank

HTTP Status Code

Code	Message
403	Received in the following cases: Invalid GraphQL Schema. Invalid GraphQL HTTP Method. Invalid GraphQL Query. Invalid GraphQL Content Type. Invalid GraphQL Character Set. Invalid GraphQL Syntax. Invalid GraphQL Request. GraphQL Request Exceed Depth Limit. GraphQL Request Exceed Complexity Limit. GraphQL Introspection Disallowed. GraphQL Object Restricted.

XML-RPC

XML-RPC endpoint type supports only POST and HTTP methods.

OTHER

For the OTHER endpoint type, any custom protocol used must be implemented as a customization.

info

Other options on the Endpoint Key & Method Detection page will show or remain hidden depending on the selected endpoint type. Refer to Key and Method Detection Matrix for more information.

Supported HTTP Methods

This includes the available HTTP methods supported by REST, SOAP, JSON-RPC, GRAPHQL, XML-RPC, or OTHER endpoint types. These methods are used to make calls to the endpoint, and you can select more than one HTTP method.

Method Location

This determines the method's location in the API call request. Based on the options selected here, the Traffic Manager locates the method.

Method Location Identifier

This is the identifier used by Traffic Manager to identify a method in the following method sources:

The parameter ID of the method within the URL for GET method API calls.
Location of the method within the body for POST method API calls.
The method's location within the actual URL path of an API call for Split Path is entered as space-delimited numbers representing the position of the element in a 0 index-based array.

For example, if the inbound call path is a/b/c/d, and this box contains 0, 2, the method name a c will be logged. These position numbers need not be in order, and if a position number is greater than the number of elements received in the path, it will be ignored.
The XML path of the method within the SOAP or XML-RPC.

Request Authentication Type

This determines the authentication type or algorithms to be used for an API endpoint authentication. Based on the request authentication type option selected, some of the options in the Developer's API Key Location field will be shown or hidden.

note

When High Security Secret Management (HSSM) is enabled, the only option available for the endpoint authentication type is Secure Hash (SHA-256). HSSM is only available for Boomi Cloud API Management - Local Edition 4.0 and above.

A sample Traffic Manager Call for an HSSM-enabled endpoint will look like the following:

curl -H 'Authorization: Basic <ML Auth Code>' -H 'Host: <Public Hostname>' 'http://<ML Machine Hostname/IP address>/<EndpointPath> api_key=<ApiKey>&sig='$(php -r 'echo hash_hmac('sha256', "<Api Key>", "<Secret>");')'&timestamp='$(php -r 'echo hash_hmac('sha256', time(), "<Api Key>");')'';

In the above call, replace the <Api Key> and <Secret> with your key and secret. Refer to Generating Package Key Secrets when High Security Secret Management (HSSM) is Enabled for more information.

Developer's API Key Location

This helps the Traffic Manager determine the location of the API Key.

OAuth Grant Types

The grant types that you want to support. Grant type is an authorization type that is necessary to obtain an access token. The following grant types can be selected in the OAuth Grant Type section:

Authorization Code: It consists of two requests and two responses. The first request gets the authorization code generated by the authorization server. The code is then sent in the second request to get the access token.
Implicit: Issues an access token directly upon receiving the authorization request. In this grant type, the authorization server does not authenticate the client; the client can only send the client ID.
Password: Issues an access token using the resource owner's password credentials. After providing the resource owner's credentials, access to the client application is provided. This type must be used only when there is a trust between the resource owner and the client.
Client Credentials: Issues an access token by using client credentials, where the client requests access to secured resources or other resource owners.

Key Field Identifier

Identifier used by Traffic Manager to identify an API Key in the following key sources:

The name field that designates the key in an API call.
Location of the API Key in the request path.

note

The Key Field Identifier is available for all values of Request Authentication Type, except OAuth, which requires a signature. The default signature field identifier is static and not configurable by the Cloud API Management user, and varies depending on the option selected in the Developer's API Key Location field:

If Parameters is selected, Cloud API Management is expecting the signature to be sig=SIGNATURE_VALUE in the parameters.
If Header is selected for Developer's API Key Location, Cloud API Management is expecting the signature to be x-signature:SIGNATURE VALUE in the header.

The default value is api_key, but it can be changed as needed to tell Cloud API Management how to identify the field where the API/Package Key will be included in requests (for example, apikey or passkey or x-apikey as the last value is common for header authentication type). In the case of a Key Location or Path, this can also be a space-delimited set of numbers designating the locations in the request past that should be recorded as the API Key.

To generate the hash for Key+Secret+Timestamp Hash, consider the following:

Invoking an API sometimes needs a Signature to be passed as part of the request.
Signature is MD5 or SHA256 hashed and is a concatenation of:
- Client ID
- Client Secret
- Epoch time

Generating Signature in Postman: The sig query parameter is created in Postman through Pre-request Script. The {{signature}} element used in the Postman URL, comes from the global variable defined in the Pre-request script.

note

A +/-5min window is allowed for the timestamp validity in the signature.
The location of the signature is not tied to the API Key location:

Irrespective of API Key Location, provide the signature in query-params or in headers:

If in query parameters, the name should be sig.
If in headers, the name should be x-signature.

Custom Request Authentication Adapter

A class file with custom logic can be entered. The file is used by the Traffic Manager to perform OAuth authorization. To use a custom authentication mechanism, consult the Boomi Account Representative to help you create a customer authentication adapter. This option is visible when selecting the Custom option in the Request Authentication Type field.

Constructing Authentication Credentials Matrices

The following matrix provides information on how to construct specific authentication credentials for API Key or Key + Secret + Timestamp Hash (MD5) or Key + Secret + Timestamp Hash (SHA-256).

If Request Authentication Type is:	And if Developer's API Key Location is:	Then for Key Field Identifier:
API Key or Key + Secret + Timestamp Hash (MD5) or Key + Secret + Timestamp Hash (SHA-256)	Path	Set a path location (for API Key) or multiple path locations in the Key Field Identifier field.
API Key or Key + Secret + Timestamp Hash (MD5) or Key + Secret + Timestamp Hash (SHA-256)	Parameters	Leave the default value of `api_key` in the Key Field Identifier field.
API Key or Key + Secret + Timestamp Hash (MD5) or Key + Secret + Timestamp Hash (SHA-256)	Header	Leave the default value of `api_key` in the Key Field Identifier field.
API Key or Key + Secret + Timestamp Hash (MD5) or Key + Secret + Timestamp Hash (SHA-256)	Request Body	Leave the default value of `api_key` in the Key Field Identifier field. :::note Cloud API Management expects the body to be `x-www-form-urlencoded` for Cloud API Management to be able to recognize the API Key. :::
API Key or Key + Secret + Timestamp Hash (MD5) or Key + Secret + Timestamp Hash (SHA-256)	Custom Note: For proper authentication formatting in API requests, refer to the documentation provided with the custom authentication adapter.	Not applicable.

The following matrix provides information on how to construct specific authentication credentials for OAuth 2.0. These examples assume you construct the OAuth Token Request using the Package Key as the client_id and the Secret as the client_secret using the grant_type of client credentials.

If Request Authentication Type is:	And if OAuth Grant Types is:	Then:
OAuth 2.0	Client Credentials, where you want to include the OAuth Client Credentials in the Request Body for Cloud API Management's Get Token request.	Cloud API Management expects the body to be `x-www-form-urlencoded` for it to recognize the OAuth credentials.
OAuth 2.0	Client Credentials, where you want to include the OAuth Client Credentials in the Header and the `grant_type` in the body for the Get Token request.	Cloud API Management expects the body to be `x-www-form-urlencoded` for it to recognize the OAuth credentials.
OAuth 2.0	Client Credentials, where you want to make an API call using an access token.	The API call should have an ACCESS TOKEN in an Authorization header as `Authorization: Bearer ACCESS_TOKEN`.