How do make an API public but subject to access control?


My API has been private up until now (I hope). Now I want to make it public, but only accessible to users of my choice.

This page of the Mulesoft docs talks about the different policies that it’s possible to apply. So that looks like the place to start. But the documentation states:

policies can only be enforced by the Anypoint Platform
for endpoints that are registered on an API Gateway

… and I do not really want to use API Gateway. Is there an alternative?


Well, you can easily specify, with RAML, how your API is secured, and document how developers can get access to it – usually through registering their apps against it. But to enforce that, you have to put something in the path of the API calls, to make sure that indeed all calls are authenticated that way. MuleSoft offers a gateway product that allows you to proxy those calls and enforce policies, and you can deploy that gateway on your premises or on MuleSoft’s CloudHub (running on AWS). Or you can choose any other vendor’s gateway to do something similar, or you can plug in some library that intercepts calls (depending on how you serve your APIs) and validates them against a service where your developer users have registered their apps, or you can roll your own. What were you looking to do? We can follow up on this by email too.