Authentication in API Management

Authentication in Boomi API Management ensures that only verified consumers can access a published API. This security layer is managed at the Gateway level through Authentication Sources, which act as a bridge between your Gateway and an Identity Provider (IdP).

Boomi supports two primary methods for securing your Gateway endpoints:

• Basic Authentication using the API Gateway

• Authentication using JWT on the API Gateway

It is recommended you use OAuth2.0 framework with OpenID for authenticating standard external users, leveraging JWT at the API gateway. This approach provides flexibility, as it primarily requires a token that can be validated through the configured authentication source, enabling the adoption of alternative flows beyond the traditional authorization code flow.

For system-to-system communication, Mutual TLS with Client Certificate Authentication may be a preferable option. For quick prototyping or internal API use cases, Basic Authentication (username/password) via the Gateway can be utilized, allowing API execution authentication alongside Developer Portal sign-in.

Authentication Sources

The Configure Server > Authentication link in the API Management menu opens the Authentication Sources page.

This page allows you to add and manage authentication sources for your APIs. You can view existing configurations, monitor their usage, or remove those no longer required.

The following details are provided for each source:

• Authentication Source Name: Name of the authentication source.

• Authentication Type: The authentication provider.

• API Usage: Number of deployments using the authentication source.

• Developer Portals: Developer portals using the authentication source.

• Description: General description about the authentication source.

• Remove: Delete authentication sources that are not in use.

note

You cannot delete an authentication source if it is in use by any deployments or is specified as sign-in authentication source for any developer portal.

Refer to Adding a Basic Authentication Source and Adding a JWT Authentication Source for detailed configuration steps.