According to Cloud Endpoint docs, it seems like you have to pass the API key in the URL itself as a query parameter.
However, that makes us vulnerable to man in the middle attacks. I was wondering if there was a way to have it work by passing the API key in the header instead.
I am working on a simple app which does not have any sign-in methods integrated already. Is there any alternative way of authentication in Cloud Endpoints where I am not required to add any existing sign-in method but will be able to use API keys securely.
I tried to define it as described into the openAPI v2 spec
securityDefinitions:
api_key:
type: "apiKey"
name: "x-key"
in: "header"
And I got this error message when deploying my Cloud Endpoint definition.
WARNING: service.yaml: apiKey 'x-key' is ignored. Only apiKey with 'name' as 'key' and 'in' as 'query' are supported
So, it's not possible.