wso2
diff --git a/‎docs/gateway/policies/apikey-authentication.md‎
Lines changed: 115 additions & 0 deletions b/‎docs/gateway/policies/apikey-authentication.md‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎gateway/gateway-controller/default-policies/api-key-auth-v1.0.yaml‎
Lines changed: 50 additions & 0 deletions b/‎gateway/gateway-controller/default-policies/api-key-auth-v1.0.yaml‎
Lines changed: 50 additions & 0 deletions
@@ -0,0 +1,115 @@
+Introduce **APIKeyAuthentication Policy (v1.0.0)** featuring:
+- API key validation from headers or query parameters
+- Configurable key extraction with optional prefix stripping
+- Flexible authentication source configuration (header/query)
+- Pre-shared key validation against configured key lists
+- Request context enrichment with authentication metadata
+
+## Configuration Schema
+
+```yaml
+name: APIKeyAuthentication
+version: v1.0.0
+description: |
+  Implements API Key Authentication to protect APIs with pre-shared API keys.
+  Validates API keys from request headers or query parameters against a configured
+  list of valid keys and sets authentication metadata in the request context.
+
+parameters:
+  type: object
+  additionalProperties: false
+  properties:
+    key:
+      type: string
+      required: true
+      description: |
+        The name of the header or query parameter that contains the API key.
+        For headers: case-insensitive matching is used (e.g., "X-API-Key", "Authorization")
+        For query parameters: exact name matching is used (e.g., "api_key", "token")
+      validation:
+        minLength: 1
+        maxLength: 128
+
+    in:
+      type: string
+      required: true
+      description: |
+        Specifies where to look for the API key.
+        Must be either "header" or "query".
+      enum:
+        - "header"
+        - "query"
+
+    value-prefix:
+      type: string
+      required: false
+      description: |
+        Optional prefix that should be stripped from the API key value before validation.
+        Case-insensitive matching and removal. Common use case is "Bearer " for Authorization headers.
+        If specified, the prefix will be removed from the extracted value.
+      validation:
+        minLength: 1
+        maxLength: 64
+
+  required:
+    - key
+    - in
+
+initParameters:
+  type: object
+  properties: {}
+```
+
+## Configuration Notes
+
+The APIKeyAuthentication policy configuration only requires user provided parameters when attaching to an API or API resource. The policy does not define system-level initialization parameters (`initParameters` is empty), meaning all configuration is done by the API developer who attaches this policy to an API or API resource.
+
+Valid API keys are generated by the gateway, management portal, or developer portal. When a request is received, the API key sent in the request will be validated against the keys generated by these services. The policy handles the extraction and validation logic, while the actual key generation and management is handled by the platform's key management system.
+
+## Example API/Per-Route Configurations
+
+### Header-based API Key Authentication
+
+```yaml
+# API key in custom header
+name: APIKeyAuthentication
+version: v1.0.0
+params:
+  key: X-API-Key
+  in: header
+```
+
+### Authorization Header with Bearer Prefix
+
+```yaml
+# API key in Authorization header with Bearer prefix
+name: APIKeyAuthentication
+version: v1.0.0
+params:
+  key: Authorization
+  in: header
+  value-prefix: "Bearer "
+```
+
+### Query Parameter Authentication
+
+```yaml
+# API key as query parameter
+name: APIKeyAuthentication
+version: v1.0.0
+params:
+  key: api_key
+  in: query
+```
+
+### Custom Header with Prefix
+
+```yaml
+# API key in custom header with custom prefix
+name: APIKeyAuthentication
+version: v1.0.0
+params:
+  key: X-Custom-Auth
+  in: header
+  value-prefix: "ApiKey "
+```
@@ -0,0 +1,50 @@
+name: APIKeyAuthentication
+version: v1.0.0
+description: |
+  Implements API Key Authentication to protect APIs with pre-shared API keys.
+  Validates API keys from request headers or query parameters against a configured
+  list of valid keys and sets authentication metadata in the request context.
+
+parameters:
+  type: object
+  additionalProperties: false
+  properties:
+    key:
+      type: string
+      required: true
+      description: |
+        The name of the header or query parameter that contains the API key.
+        For headers: case-insensitive matching is used (e.g., "X-API-Key", "Authorization")
+        For query parameters: exact name matching is used (e.g., "api_key", "token")
+      validation:
+        minLength: 1
+        maxLength: 128
+
+    in:
+      type: string
+      required: true
+      description: |
+        Specifies where to look for the API key.
+        Must be either "header" or "query".
+      enum:
+        - "header"
+        - "query"
+
+    value-prefix:
+      type: string
+      required: false
+      description: |
+        Optional prefix that should be stripped from the API key value before validation.
+        Case-insensitive matching and removal. Common use case is "Bearer " for Authorization headers.
+        If specified, the prefix will be removed from the extracted value.
+      validation:
+        minLength: 1
+        maxLength: 64
+
+  required:
+    - key
+    - in
+
+initParameters:
+  type: object
+  properties: {}